SQL Injection in dynamic Reports

Moderate

RCheesley published GHSA-jj6w-2cqg-7p94

Apr 11, 2024

Package

mautic/core (Composer)

Affected versions

>= 2.14.1

Patched versions

4.4.12,5.0.4

Description

Impact

Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle.

The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems.

Patches

Update to 4.4.12 or 5.0.4

Workarounds

No

References

Severity

Moderate

6.6

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

High

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H