CVE-2022-25768: Improper Access Control in UI upgrade process
First published: Wed Sep 18 2024(Updated: )
### Impact The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required. ### Patches Upgrade to 4.4.13 or 5.1.1 or later. ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at [security@mautic.org](mailto:security@mautic.org)
Credit: security@mautic.org security@mautic.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/mautic/core | >=5.0.0-alpha<5.1.1 | 5.1.1 |
| composer/mautic/core | >=1.1.3<4.4.13 | 4.4.13 |
| composer/mautic/core-lib | >=5.0.0-alpha<5.1.1 | 5.1.1 |
| composer/mautic/core-lib | >=1.1.3<4.4.13 | 4.4.13 |
| Mautic | >=1.1.3<4.4.13 | |
| Mautic | >=5.0.0<5.1.1 |
Remedy
Update to 4.4.13 or 5.1.1 or higher.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc
- https://github.com/mautic/mautic/commit/89f964d06f00688016b38a56dfd9e95fc676c7ce
- https://github.com/mautic/mautic/commit/925aeee7d3dbb6ca67f92d9dc5893d99250f739b
- https://nvd.nist.gov/vuln/detail/CVE-2022-25768
- https://github.com/advisories/GHSA-x3jx-5w6m-q2fc (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-25768?
CVE-2022-25768 has a vulnerability severity that indicates it poses a significant risk due to the lack of proper access controls.
How do I fix CVE-2022-25768?
To fix CVE-2022-25768, upgrade to Mautic version 5.1.1 or 4.4.13, depending on the installed version.
What are the affected versions by CVE-2022-25768?
CVE-2022-25768 affects Mautic core versions from 1.1.3 up to 5.1.1.
What type of access does CVE-2022-25768 entail?
CVE-2022-25768 entails a lack of access control during the update process via the user interface.
Can CVE-2022-25768 lead to information disclosure?
Yes, CVE-2022-25768 could potentially allow an attacker to access the version number of Mautic.
- agent/first-publish-date
- agent/remedy
- agent/title
- agent/type
- agent/description
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/github-advisory
- source/GitHub
- alias/GHSA-x3jx-5w6m-q2fc
- alias/CVE-2022-25768
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/softwarecombine
- agent/tags
- agent/event
- collector/github-advisory-latest
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- package-manager/composer
- vendor/acquia
- canonical/mautic
- version/mautic/1.1.3
- version/mautic/5.0.0