Sensitive Information Exposed in Certain Pages Despite Low Privileges
CVE-2024-2731

5.4MEDIUM

Key Information:

Vendor: Mautic
Status: Mautic
Vendor: CVE Published:; 10 April 2024

Badges

👾 Exploit Exists

Summary

Users with low privileges (all permissions deselected in the administrator permissions settings) can view certain pages that expose sensitive information such as company names, users' names and surnames, stage names, and monitoring campaigns and their descriptions. In addition, unprivileged users can see and edit the descriptions of tags. At the time of publication of the CVE no patch is available.

Affected Version(s)

Mautic 0 <= 4.4.9

References

https://huntr.com/bounties/4d72d300-92d6-4e3c-93d8-52fe47...

exploit

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Apr 10, 2024
👾
Exploit known to exist
Apr 10, 2024
Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Mar 20, 2024

Credit

ZHAW Information Security Research Group