CVE-2024-47053

Severity CVSS v4.0:

Pending analysis

Type:

CWE-285 Improper Authorization

Publication date:

26/02/2025

Last modified:

16/10/2025

Description

This advisory addresses an authorization vulnerability in Mautic&#39;s HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data.<br /> <br /> * Improper Authorization: An authorization flaw exists in Mautic&#39;s API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the "Reporting Permissions > View Own" and "Reporting Permissions > View Others" permissions, which should restrict access to non-System Reports.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 7.70 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): High
Integrity (I): None
Availability (A): None