{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47053", "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "state": "PUBLISHED", "assignerShortName": "Mautic", "dateReserved": "2024-09-17T13:41:00.584Z", "datePublished": "2025-02-26T11:54:17.219Z", "dateUpdated": "2025-03-12T19:51:32.738Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://packagist.org", "defaultStatus": "unaffected", "packageName": "mautic/core", "product": "mautic/core", "repo": "https://github.com/mautic/mautic", "vendor": "Mautic", "versions": [{"lessThan": "< 5.2.3", "status": "affected", "version": ">= 1.0.1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Putzwasser"}, {"lang": "en", "type": "remediation developer", "value": "Lenon Leite"}, {"lang": "en", "type": "remediation reviewer", "value": "Patryk Gruszka"}, {"lang": "en", "type": "remediation reviewer", "value": "John Linhart"}], "datePublic": "2025-02-25T11:44:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data.</p><ul><li><strong>Improper Authorization:</strong>&nbsp;An authorization flaw exists in Mautic's API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the \"Reporting Permissions &gt; View Own\" and \"Reporting Permissions &gt; View Others\" permissions, which should restrict access to non-System Reports.</li></ul>"}], "value": "This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data.\n\n  *  Improper Authorization:\u00a0An authorization flaw exists in Mautic's API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the \"Reporting Permissions > View Own\" and \"Reporting Permissions > View Others\" permissions, which should restrict access to non-System Reports."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "shortName": "Mautic", "dateUpdated": "2025-02-26T11:55:28.089Z"}, "references": [{"url": "https://github.com/mautic/mautic/security/advisories/GHSA-8xv7-g2q3-fqgc"}, {"url": "https://cwe.mitre.org/data/definitions/287.html"}, {"url": "https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings"}], "source": {"advisory": "GHSA-8xv7-g2q3-fqgc", "discovery": "USER"}, "title": "Improper Authorization in Reporting API", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Disable the API in Mautic. See <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings\">documentation</a>.</p>"}], "value": "Disable the API in Mautic. See  documentation https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings ."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-26T14:43:36.534365Z", "id": "CVE-2024-47053", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-12T19:51:32.738Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47053", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-26T14:43:36.534365Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-26T14:43:43.598Z"}}], "cna": {"title": "Improper Authorization in Reporting API", "source": {"advisory": "GHSA-8xv7-g2q3-fqgc", "discovery": "USER"}, "credits": [{"lang": "en", "type": "reporter", "value": "Putzwasser"}, {"lang": "en", "type": "remediation developer", "value": "Lenon Leite"}, {"lang": "en", "type": "remediation reviewer", "value": "Patryk Gruszka"}, {"lang": "en", "type": "remediation reviewer", "value": "John Linhart"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/mautic/mautic", "vendor": "Mautic", "product": "mautic/core", "versions": [{"status": "affected", "version": ">= 1.0.1", "lessThan": "< 5.2.3", "versionType": "semver"}], "packageName": "mautic/core", "collectionURL": "https://packagist.org", "defaultStatus": "unaffected"}], "datePublic": "2025-02-25T11:44:00.000Z", "references": [{"url": "https://github.com/mautic/mautic/security/advisories/GHSA-8xv7-g2q3-fqgc"}, {"url": "https://cwe.mitre.org/data/definitions/287.html"}, {"url": "https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings"}], "workarounds": [{"lang": "en", "value": "Disable the API in Mautic. See  documentation https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings .", "supportingMedia": [{"type": "text/html", "value": "<p>Disable the API in Mautic. See <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings\">documentation</a>.</p>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data.\n\n  *  Improper Authorization:\u00a0An authorization flaw exists in Mautic's API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the \"Reporting Permissions > View Own\" and \"Reporting Permissions > View Others\" permissions, which should restrict access to non-System Reports.", "supportingMedia": [{"type": "text/html", "value": "<p>This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data.</p><ul><li><strong>Improper Authorization:</strong>&nbsp;An authorization flaw exists in Mautic's API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the \"Reporting Permissions &gt; View Own\" and \"Reporting Permissions &gt; View Others\" permissions, which should restrict access to non-System Reports.</li></ul>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285"}]}], "providerMetadata": {"orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "shortName": "Mautic", "dateUpdated": "2025-02-26T11:55:28.089Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47053", "state": "PUBLISHED", "dateUpdated": "2025-03-12T19:51:32.738Z", "dateReserved": "2024-09-17T13:41:00.584Z", "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "datePublished": "2025-02-26T11:54:17.219Z", "assignerShortName": "Mautic"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data.\n\n  *  Improper Authorization:\u00a0An authorization flaw exists in Mautic's API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the \"Reporting Permissions > View Own\" and \"Reporting Permissions > View Others\" permissions, which should restrict access to non-System Reports."}], "id": "CVE-2024-47053", "lastModified": "2025-02-26T13:15:40.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security@mautic.org", "type": "Secondary"}]}, "published": "2025-02-26T13:15:40.090", "references": [{"source": "security@mautic.org", "url": "https://cwe.mitre.org/data/definitions/287.html"}, {"source": "security@mautic.org", "url": "https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings"}, {"source": "security@mautic.org", "url": "https://github.com/mautic/mautic/security/advisories/GHSA-8xv7-g2q3-fqgc"}], "sourceIdentifier": "security@mautic.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@mautic.org", "type": "Secondary"}]}

{}