CVE-2022-25773: Mautic allows Relative Path Traversal in assets file upload
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.24161%
CWE
Published
2/26/2025
Updated
2/26/2025
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
mautic/core | composer | < 5.2.3 | 5.2.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the unvalidated 'tempId' parameter in UploadSubscriber.php
's onPostUpload
method. The commit diff shows the addition of basename()
to sanitize 'tempId', indicating it was previously vulnerable to path traversal. The test case in AssetControllerFunctionalTest.php
explicitly tests for this by sending a 'tempId' with '../../', which would have succeeded pre-patch. The lack of path sanitization in the original code allowed directory escape, matching CWE-22's characteristics.