Marketing Automation

In Mautic versions 1.0.2 to 4.4.11 and 5.0.0-alpha to 5.0.3 a high severity vulnerability CVE-2022-25776 was detected. This vulnerability allows attackers to access restricted areas of the application, potentially exposing sensitive data such as names, surnames, company names, and stage names. To fix this issue, users must upgrade to version 4.4.12 or 5.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-25776.

In Mautic versions 5.1.0 to 5.1.1 a medium severity vulnerability CVE-2024-47059 was detected. This vulnerability allows attackers to infer whether a username is valid based on differing error messages for incorrect usernames and weak passwords. To fix this issue, users must upgrade to version 5.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47059.

In Mautic versions 1.0.0-beta4 to 4.4.11 and 5.0.0-alpha to 5.0.3 a medium severity vulnerability CVE-2022-25777 was detected. This vulnerability allows attackers to read system files and access internal addresses via a Server-Side Request Forgery (SSRF) flaw. To fix this issue, users must upgrade to version 4.4.12 or 5.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-25777.

In Mautic versions below 1.0.0 and 5.0.0 a low severity vulnerability CVE-2024-47058 was detected. This vulnerability allows attackers with access to edit a Mautic form to insert Cross-Site Scripting into the HTML field, potentially enabling the theft of sensitive information from the user’s current session. To fix this issue, users must upgrade to version 4.4.13, 5.1.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47058.

In Mautic versions below 2.6.0 and 5.0.0 a medium severity vulnerability CVE-2024-47050 was detected. This vulnerability allows attackers to exploit Cross-Site Scripting through the Page URL variable. To fix this issue, users must upgrade to versions 4.4.13 or 5.1.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-47050.

In Mautic versions up to 4.4.9 a medium severity vulnerability CVE-2024-2730 was detected. Unpublished landing pages can be accessed through public preview URLs, even by people who aren’t logged in. This could potentially leak sensitive information. There’s no fix available for this issue at the moment. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-2730/.

In Mautic a medium severity vulnerability CVE-2024-2731 was detected. Users with low privileges, having all permissions deselected, can access pages revealing sensitive data such as company names, users’ names and surnames, stage names, monitoring campaigns, and their descriptions. Additionally, unprivileged users can view and modify tag descriptions. At the time of publication of the CVE no patch is available. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-2731/.

In Mautic a medium severity vulnerability CVE-2024-3448 was detected. This vulnerability allows users with low privileges to improperly perform certain AJAX actions, resulting in a Server-Side Request Forgery. Attackers can exploit this vulnerability to analyze error messages and conduct a port scan in the back-end. At the time of publication of the CVE no patch is available. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-3448/.