Skip to content

Mautic has insufficient authentication in upgrade flow

High severity GitHub Reviewed Published Sep 18, 2024 in mautic/mautic • Updated Sep 19, 2024

Package

composer mautic/core (Composer)

Affected versions

>= 1.0.0-beta3, < 4.4.13
>= 5.0.0-alpha, < 5.1.1

Patched versions

4.4.13
5.1.1
composer mautic/core-lib (Composer)
>= 1.0.0-beta3, < 4.4.13
>= 5.0.0-alpha, < 5.1.1
4.4.13
5.1.1

Description

Impact

Mautic allows you to update the application via an upgrade script.

The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation.

This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable

Patches

Please upgrade to 4.4.1 or 5.1.1 or later.

Workarounds

None.

For more information

If you have any questions or comments about this advisory:

References

@RCheesley RCheesley published to mautic/mautic Sep 18, 2024
Published to the GitHub Advisory Database Sep 18, 2024
Reviewed Sep 18, 2024
Last updated Sep 19, 2024

Severity

High

Weaknesses

CVE ID

CVE-2024-47051

GHSA ID

GHSA-qf6m-6m4g-rmrc

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.