Mautic allows you to update the application via an upgrade script.
The upgrade logic isn\'t shielded off correctly, which may lead to vulnerable situation.
This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable.
Metrics
CVSS Version: 3.1 |
Base Score: 7.8 HIGH Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
l➤ Exploitability Metrics: Attack Vector (AV)* LOCAL Attack Complexity (AC)* HIGH Privileges Required (PR)* NONE User Interaction (UI)* NONE Scope (S)* CHANGED
l➤ Impact Metrics: Confidentiality Impact (C)* NONE Integrity Impact (I)* HIGH Availability Impact (A)* HIGH
Weakness Enumeration (CWE)
CWE-ID: CWE-306 CWE Name: CWE-306 Missing Authentication for Critical Function Source: Mautic
Common Attack Pattern Enumeration and Classification (CAPEC)