CVE-2022-25775

2024-09-1815:15:13

CWE-89

Mautic

web.nvd.nist.gov

organization

individual

security problem announcement

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

20.0%

JSON

Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle.

The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems.

Affected configurations

Nvd

Node

acquiamauticRange2.14.1–4.4.12

acquiamauticRange5.0.0–5.0.4

VendorProductVersionCPE
acquiamautic*cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
acquia	mautic	*	cpe:2.3:a:acquia:mautic::::::::

CNA Affected

[
  {
    "collectionURL": "https://packagist.org",
    "defaultStatus": "unaffected",
    "packageName": "mautic/core",
    "product": "Mautic",
    "repo": "https://github.com/mautic/mautic",
    "vendor": "Mautic",
    "versions": [
      {
        "lessThan": "< 4.4.12",
        "status": "affected",
        "version": ">= 2.14.1",
        "versionType": "semver"
      },
      {
        "lessThan": "< 5.0.4",
        "status": "affected",
        "version": "> 5.0.0",
        "versionType": "semver"
      }
    ]
  }
]