CVE-2022-25770
Mautic has insufficient authentication in upgrade flow
7.8
HIGH
CVSS 3.1
EPSS 0.30%
Description
### Impact Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable ### Patches Please upgrade to 4.4.1 or 5.1.1 or later. ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at [security@mautic.org](mailto:security@mautic.org)
How to fix CVE-2022-25770
To remediate CVE-2022-25770, upgrade the affected package to a fixed version below.
- —upgrade to 4.4.13 or later
- —upgrade to 4.4.13 or later
Is CVE-2022-25770 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 1.0.0-beta3, < 4.4.13
- >= 1.0.0-beta3, < 4.4.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N |
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H |