CVE-2024-47059 – mautic/core

Package

Manager: composer
Name: mautic/core
Vulnerable Version: >=5.1.0 <5.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00155 pctl0.36793

Details

Mautic allows users enumeration due to weak password login ### Summary When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak. However when an incorrect username is provided along side with weak password, the application responds with ’Invalid credentials’ notification. This difference could be used to perform username enumeration. ### Patches Update to 5.1.1 or later. If you have any questions or comments about this advisory: Email us at [security@mautic.org](mailto:security@mautic.org)

Metadata

Created: 2024-09-18T22:10:05Z
Modified: 2024-09-19T21:48:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-8vff-35qm-qjvv/GHSA-8vff-35qm-qjvv.json
CWE IDs: ["CWE-200", "CWE-204"]
Alternative ID: GHSA-8vff-35qm-qjvv
Finding: F310
Auto approve: 1