CVE-2024-47059: Mautic allows users enumeration due to weak password login

September 18, 2024 (updated September 19, 2024)

When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.

However when an incorrect username is provided along side with weak password, the application responds with ’Invalid credentials’ notification.

This difference could be used to perform username enumeration.

References

github.com/advisories/GHSA-8vff-35qm-qjvv
github.com/mautic/mautic
github.com/mautic/mautic/security/advisories/GHSA-8vff-35qm-qjvv
nvd.nist.gov/vuln/detail/CVE-2024-47059

Detect and mitigate CVE-2024-47059 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →