A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resulting in Remote Code Execution (RCE) under the context of the web server user.
During campaign import, the application extracts the uploaded ZIP file to a temporary directory. An error in the path validation logic allows the use of path traversal sequences (e.g., '../'), which enable a file inside the ZIP archive to escape the intended temporary directory. The attacker can thus write arbitrary PHP files to critical system directories — for example, overwriting configuration files or cache components. After writing the malicious file, it can be executed remotely by the web server, leading to complete RCE.
The attacker gains the ability to execute code remotely (RCE) in the context of the web server user, which may lead to complete server takeover, data breach, and violation of system integrity and availability.
Apply patches available from the vendor according to references (https://github.com/mautic/mautic/security/advisories/GHSA-6r9h-4h75-7q4x). Until the patch is applied, it is recommended to restrict or disable campaign:imports:create permissions for unauthorized users and monitor attempts to upload ZIP files in the campaign import module.
Mautic 7 — users with permissions to import campaigns (campaign:imports:create). Detailed information about affected versions is provided in the vendor's references.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H