Miggo Logo

CVE-2022-25773: Mautic allows Relative Path Traversal in assets file upload

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.24161%
Published
2/26/2025
Updated
2/26/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
mautic/corecomposer< 5.2.35.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the unvalidated 'tempId' parameter in UploadSubscriber.php's onPostUpload method. The commit diff shows the addition of basename() to sanitize 'tempId', indicating it was previously vulnerable to path traversal. The test case in AssetControllerFunctionalTest.php explicitly tests for this by sending a 'tempId' with '../../', which would have succeeded pre-patch. The lack of path sanitization in the original code allowed directory escape, matching CWE-22's characteristics.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T*is **visory ***r*ss*s * *il* pl***m*nt vuln*r**ility t**t *oul* *llow *ss*ts to ** uplo**** to unint*n*** *ir**tori*s on t** s*rv*r. * **Improp*r Limit*tion o* * P*t*n*m* to * R*stri*t** *ir**tory:** * vuln*r**ility *xists in t** *ss*

Reasoning

T** vuln*r**ility st*ms *rom t** unv*li**t** 't*mpI*' p*r*m*t*r in `Uplo**Su*s*ri**r.p*p`'s `onPostUplo**` m*t*o*. T** *ommit *i** s*ows t** ***ition o* `**s*n*m*()` to s*nitiz* 't*mpI*', in*i**tin* it w*s pr*viously vuln*r**l* to p*t* tr*v*rs*l. T**