Incorrect Regular Expression in .htaccess File Can Allow Code Execution

CVE-2022-25769

7.2HIGH

Key Information

Vendor: Mautic
Status: Mautic
Vendor: CVE Published:; 18 September 2024

Summary

ImpactThe default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed in the root of the application. This logic isn't correct, as the regex in the second FilesMatch only checks the filename, not the full path.

Affected Version(s)

Mautic < 3.3.5

Mautic < 4.2.0

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Sep 18, 2024
Vulnerability Reserved.
Feb 22, 2022

Collectors

NVD DatabaseMitre Database

Credit

Mattias Michaux

John Linhart

Zdeno Kuzmany