CVE-2024-47051

Name of the Vulnerable Software and Affected Versions Mautic versions prior to 5.2.3

Description The issue involves two critical security vulnerabilities that can be exploited by authenticated users. The first vulnerability is a Remote Code Execution (RCE) issue via asset upload, where insufficient enforcement of allowed file extensions allows an attacker to upload executable files, such as PHP scripts. The second vulnerability is a Path Traversal issue in the upload validation process, which enables an authenticated user to manipulate the file deletion process and delete arbitrary files on the host system. It is estimated that over 200,000 organizations are exposed to this vulnerability.

Recommendations To resolve the issue, update to Mautic version 5.2.3 or later. As a temporary workaround, consider restricting access to the asset upload functionality and the upload validation process to minimize the risk of exploitation. Additionally, monitor system logs for suspicious activity and implement additional security measures to prevent unauthorized access.