Remote Code Execution and File Deletion Vulnerabilities in Mautic by Mautic
CVE-2024-47051

9.1CRITICAL

Key Information:

Vendor: Mautic
Status: Mautic/core
Vendor: CVE Published:; 26 February 2025

Summary

This advisory highlights two significant security vulnerabilities in Mautic that could be exploited by authenticated users. The first involves a Remote Code Execution (RCE) vulnerability associated with the asset upload feature, where weak enforcement of allowed file types enables attackers to upload malicious files, like PHP scripts. Secondly, a Path Traversal vulnerability has been detected during the upload validation process, allowing attackers to manipulate file paths and delete arbitrary files from the host system, posing a serious risk to data integrity and security.

Affected Version(s)

mautic/core < 5.2.3

References

https://github.com/mautic/mautic/security/advisories/GHSA...

https://owasp.org/www-community/attacks/Code_Injection

https://owasp.org/www-community/attacks/Path_Traversal

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 26, 2025
Vulnerability Reserved
Sep 17, 2024

Credit

mallo-m

Patryk Gruzska

Lenon Leite