Authorization Flaw in Mautic's API Access Controls
CVE-2024-47053

7.7HIGH

Key Information:

Vendor: Mautic
Status: Mautic/core
Vendor: CVE Published:; 26 February 2025

Summary

An authorization vulnerability exists in Mautic's API that allows any authenticated user to bypass access controls, thereby gaining unauthorized access to all reports and their associated data. This flaw undermines the intended permissions related to 'View Own' and 'View Others,' which should restrict access to sensitive report data based on user roles. Properly configured, these permissions should prevent unauthorized visibility into non-System Reports.

Affected Version(s)

mautic/core >= 1.0.1

References

https://github.com/mautic/mautic/security/advisories/GHSA...

https://cwe.mitre.org/data/definitions/287.html

https://docs.mautic.org/en/5.2/configuration/settings.htm...

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 26, 2025
Vulnerability Reserved
Sep 17, 2024

Credit

Putzwasser

Lenon Leite

Patryk Gruszka

John Linhart