CVE-2022-25768

low-risk

Published 2024-09-18

The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required.

Do I need to act?

0.37% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.0/10 High

NETWORK / HIGH complexity

Affected Products (1)

Mautic

Affected Vendors

Acquia

References (1)

Vendor Advisory https://github.com/mautic/mautic/security/advisories/GHSA-x3jx-5w6m-q2fc

/ 100

low-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal