7.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-5hc5-fxr9-5frc

EPSS Score

CWE

CWE-306

Published

9/19/2024

Updated

2/21/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-5hc5-fxr9-5frc

GHSA-5hc5-fxr9-5frc: Duplicate Advisory: Mautic has insufficient authentication in upgrade flow

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-qf6m-6m4g-rmrc. This link is maintained to preserve external references.

Original Description

Mautic allows you to update the application via an upgrade script.

The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation.

This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable.

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-5hc5-fxr9-5frc

EPSS Score

CWE

CWE-306

Published

9/19/2024

Updated

2/21/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mautic/core	composer	>= 1.0.0-beta3, < 4.4.13	4.4.13
mautic/core	composer	>= 5.0.0, < 5.1.1	5.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on insufficient authentication in upgrade mechanisms. While exact code isn't available, Mautic's architecture suggests:

Web-accessible upgrade controllers would handle update initiation
CLI commands might be improperly exposed via web routes
The CWE-306 classification indicates missing auth checks in critical update functions
Version ranges suggest both legacy (4.x) and modern (5.x) implementations had similar flaws Confidence is medium as we're inferring based on component structure and vulnerability pattern, though without direct access to pre-patch code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# *upli**t* **visory T*is **visory **s ***n wit**r*wn ****us* it is * *upli**t* o* **S*-q**m-*m**-rmr*. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. # Ori*in*l **s*ription M*uti* *llows you to up**t* t** *ppli**tion vi* *n up*r*** s*ript

Reasoning

T** vuln*r**ility **nt*rs on insu**i*i*nt *ut**nti**tion in up*r*** m****nisms. W*il* *x**t *o** isn't *v*il**l*, M*uti*'s *r**it**tur* su***sts: *. W**-****ssi*l* up*r*** *ontroll*rs woul* **n*l* up**t* initi*tion *. *LI *omm*n*s mi**t ** improp*rly

7.8

Basic Information

Concerned about an active attack path?

GHSA-5hc5-fxr9-5frc: Duplicate Advisory: Mautic has insufficient authentication in upgrade flow

Duplicate Advisory

Original Description

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI