The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.
History

Thu, 19 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 18 Sep 2024 21:00:00 +0000

Type Values Removed Values Added
Description The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.
Title Improper Access Control in UI upgrade process
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Mautic

Published: 2024-09-18T20:55:53.187Z

Updated: 2024-09-19T15:42:44.517Z

Reserved: 2022-02-22T20:17:36.803Z

Link: CVE-2022-25768

cve-icon Vulnrichment

Updated: 2024-09-19T15:42:40.881Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-18T21:15:12.860

Modified: 2024-09-20T12:30:17.483

Link: CVE-2022-25768

cve-icon Redhat

No data.