GHSA-8vff-35qm-qjvv

Suggest an improvement
Source
https://github.com/advisories/GHSA-8vff-35qm-qjvv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-8vff-35qm-qjvv/GHSA-8vff-35qm-qjvv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8vff-35qm-qjvv
Aliases
  • CVE-2024-47059
Published
2024-09-18T22:10:05Z
Modified
2024-09-19T22:01:51.778924Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Mautic allows users enumeration due to weak password login
Details

Summary

When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.

However when an incorrect username is provided along side with weak password, the application responds with ’Invalid credentials’ notification.

This difference could be used to perform username enumeration.

Patches

Update to 5.1.1 or later.

If you have any questions or comments about this advisory:

Email us at security@mautic.org

References

Affected packages

Packagist / mautic/core

Package

Name
mautic/core
Purl
pkg:composer/mautic/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1.0
Fixed
5.1.1

Affected versions

5.*

5.1.0