Vautia

**Name of the Vulnerable Software and Affected Versions** versions prior to the patched version **Description** The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. The issue was caused by different response times when a valid username was provided (password hashing occurred) and when an invalid username was provided (no password hashing occurred). The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing. **Recommendations** Upgrade to the patched version.

**Name of the Vulnerable Software and Affected Versions** Mautic versions prior to 4.4.12 **Description** The issue is related to a self XSS vulnerability in the notifications within Mautic. Logged in users are vulnerable to this issue, which allows malicious code to be injected into the notification when saving Dashboards. **Recommendations** Update to Mautic 4.4.12 to resolve the issue. As a temporary workaround, consider restricting the ability to save Dashboards or injecting custom code into notifications until the update is applied.