### Impact
the default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed in the root of the application.

This logic isn't correct, as the regex in the second FilesMatch only checks the filename, not the full path.

### Patches
Please upgrade to 3.3.5 or 4.2.0

### Workarounds
No

### References

- Release post: https://www.mautic.org/blog/community/mautic-4-2-one-small-step-mautic
- Internally tracked under MST-32

### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])

Affected Packages

Packagist mautic/core

Affected versions: 0 (fixed in 3.3.5)

Packagist mautic/core

Affected versions: 4.0.0 (fixed in 4.2.0)

Related CVEs

CVE-2022-25769

Key Information

GHSA ID

GHSA-mj6m-246h-9w56

Published

March 1, 2022 10:05 PM

Last Modified

March 1, 2022 10:05 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

mautic/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.