Tomasz Kowalczyk

**Name of the Vulnerable Software and Affected Versions** Mautic (affected versions not specified) **Description** A security issue exists in the "Forget your password" functionality of Mautic, allowing unauthenticated users to enumerate valid usernames through a timing-based attack. This is due to differences in response times for existing and non-existing users, combined with a lack of request limiting. **Recommendations** Update to a version that addresses this timing vulnerability, where password reset responses are normalized to respond at the same time regardless of user existence.

**Name of the Vulnerable Software and Affected Versions** Mautic versions prior to the version that properly validates or sanitizes the returnUrl parameter **Description** The issue is related to an Open Redirection vulnerability in Mautic's user unlocking endpoint. This vulnerability could be exploited by an attacker to redirect legitimate users to malicious websites, potentially leading to phishing attacks or the delivery of exploit kits. The vulnerability exists in the "/s/action/unlock/user.user/0" endpoint, where the `returnUrl` parameter is not properly validated, allowing an attacker to craft a URL that redirects users to an arbitrary external website. **Recommendations** Update Mautic to a version that properly validates or sanitizes the `returnUrl` parameter to ensure that redirects only occur to trusted, internal URLs or explicitly whitelisted domains. As a temporary workaround, consider restricting access to the `/s/action/unlock/user.user/0` endpoint to minimize the risk of exploitation. Avoid using the `returnUrl` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Mautic versions prior to 5.1.1 **Description** The application responds differently when logging in with a correct username and incorrect weak password versus an incorrect username and weak password. This difference could be used to perform username enumeration. When a correct username is used with an incorrect weak password, the user receives a notification stating that their password is too weak. In contrast, when an incorrect username is provided alongside a weak password, the application responds with an 'Invalid credentials' notification. **Recommendations** Update to version 5.1.1 or later to resolve the issue.