CVE-2017-1000490

MEDIUM6.5EPSS 0.34%

Mautic users able to download any files from server using filemanager

Published: 1/19/2021Modified: 2/16/2024

Description

### Impact Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user has access to. ### Patches Update to 2.12.0 or later. ### Workarounds None ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

Affected packages (1)

Packagist/mautic/core>= 1.0.0, < 2.12.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000490
WEBhttps://github.com/mautic/mautic/commit/3b01786433ae15e9a23f1eb9b0d3dfdb065b6241
WEBhttps://github.com/mautic/mautic/releases/tag/2.12.0
WEBhttps://github.com/mautic/mautic/security/advisories/GHSA-qpgw-2c72-4c89