Incorrect Regular Expression in .htaccess File Can Allow Code Execution
CVE-2022-25769
7.2HIGH
Key Information
- Vendor
- Mautic
- Status
- Mautic
- Vendor
- CVE Published:
- 18 September 2024
Summary
ImpactThe default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed in the root of the application.
This logic isn't correct, as the regex in the second FilesMatch only checks the filename, not the full path.
Affected Version(s)
Mautic < 3.3.5
Mautic < 4.2.0
References
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database
Credit
Mattias Michaux
Mattias Michaux
John Linhart
Zdeno Kuzmany