Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the enforcement of owner-scope permissions such as viewown or editown. An attacker can gain unauthorized access or modify resources belonging to other users by exploiting improper permission checks in the API...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via insufficient validation of user-supplied URLs in the Focus component. An attacker can cause the server to send HTTP requests to internal or external destinations by supplying crafted URLs. This can...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the GrapesJsBuilder file upload process. An attacker can execute arbitrary code on the server by uploading malicious files without restriction. Note: This is only exploitable if the media folder is not restrict...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the improper privilege management for in the upload process. An attacker can install or remove arbitrary packages and potentially execute malicious code by leveraging insufficient access controls in the...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to the improper privilege management for in the upload process. An attacker can install or remove arbitrary packages and potentially execute malicious code by leveraging insufficient access controls in the...

User Enumeration

mautic/core is vulnerable to user enumeration. The vulnerability is due to differing response times between valid and invalid usernames, which allows an attacker to enumerate valid accounts and subsequently attempt brute-force attacks...

Improper Acess Control

mautic/core is vulnerable to improper access control. The vulnerability is due to insufficient restriction on configuration access, which allows an administrator to extract sensitive information such as database credentials...

Cross Site Scripting (XSS)

mautic/core is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to unsanitized user-supplied input in the “Tags” field of the /s/ajax?action=lead:addLeadTags endpoint being reflected in the server response, which allows an attacker to execute arbitrary JavaScript in the victim’s...

Observable Response Discrepancy

Overview Affected versions of this package are vulnerable to Observable Response Discrepancy via the login process. An attacker can determine whether specific usernames exist by measuring response times during authentication attempts. Remediation Upgrade mautic/core-lib to version 5.2.8, 6.0.5 or...

Unverified Ownership

Overview Affected versions of this package are vulnerable to Unverified Ownership via the elfinder process. An attacker can access sensitive information by modifying application configuration to extract secrets that are not typically available to them. Remediation Upgrade mautic/core-lib to versi...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the webhook functionality. An attacker can access internal network resources and potentially retrieve partial response data by specifying arbitrary destinations when sending webhooks. Note: This is...

Insecure Direct Object Reference (IDOR)

mautic/core is vulnerable to an Insecure Direct Object Reference IDOR. The vulnerability is due to missing authorization checks in the segment cloning function, which allows authenticated users to clone segments even if they don’t have the necessary permissions...

Username Enumeration

mautic/core is vulnerable to User Enumeration. The vulnerability is due to differences in response times between valid and invalid usernames in the "Forget your password" functionality, which allows an attacker to determine the existence of valid usernames...

Sensitive Information Disclosure

mautic/core is vulnerable to Sensitive Information Disclosure. The vulnerability is due to unauthenticated arbitrary file access where the missing web server restrictions on .env files, allowing attackers to directly view sensitive configurations via a browser...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the cloneAction of the segment management. An attacker can bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones by exploiting the missing...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect through the returnUrl parameter. An attacker can redirect users to malicious websites by crafting a URL that, when clicked, leads to an arbitrary external site. Remediation Upgrade mautic/core-lib to version 5.2.6, 6.0.2 o...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack due to differences in response times for existing and non-existing users in the password reset functionality. An attacker can determine the existence of usernames by observing the time it takes for the server to respond...

Improper Validation of Specified Quantity in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input via the page preview functionality. An attacker can access unpublished content and potentially expose sensitive information by exploiting predictable URLs without proper authorization...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to improper server configuration that fails to restrict access to sensitive files. An attacker can view sensitive configuration data, including database...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Reporting API. An attacker can gain unauthorized access to sensitive report data by exploiting the flawed HTTP Basic Authentication implementation. Note: This is only exploitable if the API is enabled and...