PT-2024-11534 · Mautic · Mautic
John Linhart
+3
·
Published
2024-09-18
·
Updated
2024-09-20
·
CVE-2022-25768
CVSS v4.0
8.3
High
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Mautic versions prior to 4.4.13
Mautic versions prior to 5.1.1
Description
The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to the patch being applied, it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.
Recommendations
Upgrade to version 4.4.13 or later.
Upgrade to version 5.1.1 or later.
As a temporary workaround, consider disabling the update process via the user interface until a patch is applied.
Fix
Improper Access Control
Improper Authentication
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Mautic