PT-2024-32378 · Mautic · Mautic

John Linhart

Published

2024-09-18

Updated

2024-09-20

CVE-2024-47059

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Mautic versions prior to 5.1.1

Description The application responds differently when logging in with a correct username and incorrect weak password versus an incorrect username and weak password. This difference could be used to perform username enumeration. When a correct username is used with an incorrect weak password, the user receives a notification stating that their password is too weak. In contrast, when an incorrect username is provided alongside a weak password, the application responds with an 'Invalid credentials' notification.

Recommendations Update to version 5.1.1 or later to resolve the issue.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-204CWE-200

Related Identifiers

CVE-2024-47059

GHSA-8VFF-35QM-QJVV

Affected Products

Mautic

PT-2024-32378 · Mautic · Mautic

CVE-2024-47059

Weakness Enumeration

Related Identifiers

Affected Products

References · 8