Marketing Automation

In Mautic versions above 4.0 a medium severity vulnerability CVE-2025-5257 was detected. This vulnerability allows unauthenticated attackers to access unpublished page previews via predictable URLs, potentially exposing draft content or sensitive information to the public and search engine indexing. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5257.

In Mautic versions above 1.0 a medium severity vulnerability CVE-2025-5256 was detected. This vulnerability allows attackers to redirect users to malicious external websites via the returnUrl parameter in the user unlocking endpoint, potentially leading to phishing or exploit delivery. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5256.

In Mautic versions above 1.0 a medium severity vulnerability CVE-2024-47057 was detected. This vulnerability allows unauthenticated attackers to enumerate valid usernames through the “Forget your password” functionality by exploiting differences in response times for valid and invalid users. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47057.

In Mautic versions above 4.4 a high severity vulnerability CVE-2024-47056 was detected. This vulnerability allows unauthenticated attackers to access sensitive .env configuration files via a web browser due to improper web server restrictions, potentially exposing database credentials, API keys, and other critical data. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47056.

In Mautic versions above 5.0 a medium severity vulnerability CVE-2024-47055 was detected. This vulnerability allows authenticated users to clone segments without proper authorization due to missing permission checks in the segment cloning functionality. To address this issue, users should upgrade Mautic to versions 5.2.6 or 6.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47055.

In Mautic versions before 5.2.3 two critical security vulnerabilities CVE-2024-47051 were detected. These vulnerabilities allow authenticated users to execute remote code via asset upload by bypassing file extension restrictions and to delete arbitrary files through a path traversal flaw. To address this issues, users should upgrade Mautic to versions 5.2.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47051.

In Mautic versions from 1.0.0-beta2 to 4.4.11 a critical severity vulnerability CVE-2021-27915 was detected. This vulnerability allows logged-in users with appropriate permissions to exploit XSS vulnerabilities in the description fields. This could result in elevated access to the system. To fix this issue, upgrade to version 4.4.12 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-27915.

In Mautic versions 1.0.0-beta4 to 4.4.12 and 5.0.0-alpha to 5.1.0 (mautic/core and mautic/core-lib via Composer) a high severity vulnerability (CVE-2021-27917) was detected. This stored XSS vulnerability allows attackers to inject malicious scripts into the contact tracking and page hits report, potentially compromising sensitive data. To fix this issue, users must upgrade to versions 4.4.13 or 5.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2021-27917.

In Mautic versions 1.0.2 to 4.4.11 and 5.0.0-alpha to 5.0.3 a high severity vulnerability CVE-2022-25776 was detected. This vulnerability allows attackers to access restricted areas of the application, potentially exposing sensitive data such as names, surnames, company names, and stage names. To fix this issue, users must upgrade to version 4.4.12 or 5.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-25776.