Sensitive Information Disclosure in Mautic by Vulnerable Configuration
CVE-2024-47056

5.1MEDIUM

Key Information:

Vendor: Mautic
Status: Mautic
Vendor: CVE Published:; 28 May 2025

What is CVE-2024-47056?

A security vulnerability in Mautic allows unauthorized access to sensitive .env configuration files via a web browser. This exposure can result in the disclosure of critical information, including database credentials and API keys, due to improper web server configurations that fail to restrict access to these files. An attacker can view the contents of the .env file simply by navigating to its URL. To mitigate this vulnerability, users should update to the latest version of Mautic and ensure proper web server configurations are in place. For Apache, configure .htaccess files appropriately, and for Nginx, add specific rules to deny access to .env files.

Affected Version(s)

Mautic > 4.4.0

References

https://github.com/mautic/mautic/security/advisories/GHSA...

CVSS V3.1

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2025
Vulnerability Reserved
Sep 17, 2024

Credit

r3ky

Lenon Leite

Nick Vanpraet

Patryk Gruszka