CVE-2022-25768

MEDIUM EPSS 20.6%

Published Sep 18, 20241y ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Sep 18, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.

CVSS Details

Base Score

6.5

Exploitability

3.9

Impact

2.5

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

20.6% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-287 Improper Authentication Authentication

CWE-862 Missing Authorization Authorization

Affected Products 2

Vendor	Product	Version	Range
acquia	mautic	*	≥1.1.3 – <4.4.13
acquia	mautic	*	≥5.0.0 – <5.1.1

References 1

github.com https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.