CVE-2022-25776 — Mautic Sensitive Data Exposure due to inadequate user permission settings

Description

### Impact Prior to the patched version, logged in users of Mautic are able to access areas of the application that they should be prevented from accessing. Users could potentially access sensitive data such as names and surnames, company names and stage names. ### Patches Update to 4.4.12 and 5.0.4 ### Workarounds No ### References https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure

How to fix CVE-2022-25776

To remediate CVE-2022-25776, upgrade the affected package to a fixed version below.

—upgrade to 4.4.12 or later

Is CVE-2022-25776 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.0.2, < 4.4.12

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25776
PATCHgithub.com/mautic/mautic
WEBgithub.com/mautic/mautic/commit/22bdd0796ca6e1e985708b89ad5c07147630fecd
WEBgithub.com/mautic/mautic/commit/2cc4af975fe01c264d439acc1451c936e7114644