CVE-2024-47059
Mautic allows users enumeration due to weak password login
4.3
MEDIUM
CVSS 3.1
EPSS 0.42%
Description
### Summary When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak. However when an incorrect username is provided along side with weak password, the application responds with ’Invalid credentials’ notification. This difference could be used to perform username enumeration. ### Patches Update to 5.1.1 or later. If you have any questions or comments about this advisory: Email us at [security@mautic.org](mailto:security@mautic.org)
How to fix CVE-2024-47059
To remediate CVE-2024-47059, upgrade the affected package to a fixed version below.
- —upgrade to 5.1.1 or later
Is CVE-2024-47059 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 5.1.0, < 5.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |