SB2025022612 - Multiple vulnerabilities in Mautic

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2024-47053)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to insufficient authorization controls in Reporting API. A remote user can gain access to sensitive information on the system.

2) Path traversal (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the upload validation process. A remote user can send a specially crafted HTTP request and delete arbitrary files on the system.

3) Code Injection (CVE-ID: CVE-2024-47051)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Asset Uploads. A remote user can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Path traversal (CVE-ID: CVE-2022-25773)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in assets file upload. A remote user can send a specially crafted HTTP request and upload arbitrary files on the system.

Remediation

Install update from vendor's website.

References

• https://github.com/mautic/mautic/security/advisories/GHSA-8xv7-g2q3-fqgc
• https://github.com/mautic/mautic/security/advisories/GHSA-73gx-x7r9-77x2
• https://github.com/mautic/mautic/security/advisories/GHSA-4w2w-36vm-c8hf