Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-jj6w-2cqg-7p94: Mautic SQL Injection in dynamic Reports

Impact

Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle.

The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems.

Patches

Update to 4.4.12 or 5.0.4

Workarounds

No

References

  • https://owasp.org/www-community/attacks/SQL_Injection
  • https://owasp.org/www-community/attacks/Blind_SQL_Injection
ghsa
#sql#vulnerability#git

Package

composer mautic/core (Composer)

Affected versions

>= 2.14.1, < 4.4.12

>= 5.0.0-alpha, < 5.0.4

Patched versions

4.4.12

5.0.4

Description

Impact

Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle.

The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems.

Patches

Update to 4.4.12 or 5.0.4

Workarounds

No

References

  • https://owasp.org/www-community/attacks/SQL_Injection
  • https://owasp.org/www-community/attacks/Blind_SQL_Injection

References

  • GHSA-jj6w-2cqg-7p94
  • mautic/mautic@cab65e0
  • mautic/mautic@e75b1ee

RCheesley published to mautic/mautic

Apr 11, 2024

Published to the GitHub Advisory Database

Apr 12, 2024

Reviewed

Apr 12, 2024

Last updated

Apr 12, 2024

ghsa: Latest News

GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname