CVE-2022-25775 — Mautic SQL Injection in dynamic Reports

Description

### Impact Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle. The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems. ### Patches Update to 4.4.12 or 5.0.4 ### Workarounds No ### References - https://owasp.org/www-community/attacks/SQL_Injection - https://owasp.org/www-community/attacks/Blind_SQL_Injection

How to fix CVE-2022-25775

To remediate CVE-2022-25775, upgrade the affected package to a fixed version below.

—upgrade to 4.4.12 or later

Is CVE-2022-25775 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.14.1, < 4.4.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25775
PATCHgithub.com/mautic/mautic
WEBgithub.com/mautic/mautic/commit/cab65e0acc4f23c4f07c117dee1b69dac5abed3f
WEBgithub.com/mautic/mautic/commit/e75b1eea16309588f069169b5882cf53f854dbd8