Skip to content

Mautic: MST-48 Server-Side Request Forgery in Asset section

Moderate severity GitHub Reviewed Published Apr 11, 2024 in mautic/mautic • Updated Apr 12, 2024

Package

composer mautic/core (Composer)

Affected versions

>= 1.0.0-beta4, < 4.4.12
>= 5.0.0-alpha, < 5.0.4

Patched versions

4.4.12
5.0.4

Description

Impact

Prior to the patched version, an authenticated user of Mautic could read system files and access the internal addresses of the application due to a Server-Side Request Forgery (SSRF) vulnerability.

Patches

Update to 4.4.12 or 5.0.4

Workarounds

None

References

If you have any questions or comments about this advisory:

Email us at security@mautic.org

References

@RCheesley RCheesley published to mautic/mautic Apr 11, 2024
Published to the GitHub Advisory Database Apr 12, 2024
Reviewed Apr 12, 2024
Last updated Apr 12, 2024

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

Weaknesses

CVE ID

CVE-2022-25777

GHSA ID

GHSA-mgv8-w49f-822w

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.