Mautic: Arbitary server file download

Created on 22 Nov 2017  路  4Comments  路  Source: mautic/mautic

Masked for security. Please send all security vulnerabilities to [email protected]. Patch coming soon. ~ Contributors

bug
Source
picture ranjit-git

All 4 comments

@alanhartless I've found this security address here, couldn't find anything on the websites about Responsible Disclosure. Would be good to add a page for that and link to it in the footer.

micschk picture micschk on 28 Nov 2017
👍1

@pahan12 How serious is this security issue? Should this be a reason to (temporarily) deactivate Mautic until resolved?

micschk picture micschk on 28 Nov 2017

@micschk
As Mautic is only for admin account if a user is already logged in then he can download any file from server via this attack.This attack is only valid for authenticated user and anonymous attacker cant exploit it. If your admin user are strusted then no need to temprary disable.

ranjit-git picture ranjit-git on 28 Nov 2017
👍1

Great, thanks!

micschk picture micschk on 28 Nov 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wderuijter picture wderuijter  路  3Comments
matishaladiwala picture matishaladiwala  路  3Comments
matishaladiwala picture matishaladiwala  路  4Comments
Tony-Gavin picture Tony-Gavin  路  4Comments
victor-mp picture victor-mp  路  3Comments