CVE-2024-47057

Published: May 28, 2025

Modified: May 29, 2025

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames. User Enumeration via Timing Attack: A user enumeration vulnerability exists in the "Forget your password" functionality. Differences in response times for existing and non-existing users, combined with a lack of request limiting, allow an attacker to determine the existence of usernames through a timing-based attack. MitigationPlease update to a version that addresses this timing vulnerability, where password reset responses are normalized to respond at the same time regardless of user existence.

Vendor	Product	Versions
Mautic	Mautic	affected `> 1.0 - < < 6.0.2, < 5.2.6, < 4.4.16`

Weaknesses (CWE)

CWE-203

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/mautic/mautic/security/advisories/GHSA-424x-cxvh-wq9p

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-47057

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References