GHSA-8vff-35qm-qjvv

Опубликовано: 18 сент. 2024

Источник: github

Github: Прошло ревью

CVSS4: 6.9

CVSS3: 4.3

Описание

Mautic allows users enumeration due to weak password login

Summary

When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.

However when an incorrect username is provided along side with weak password, the application responds with ’Invalid credentials’ notification.

This difference could be used to perform username enumeration.

Patches

Update to 5.1.1 or later.

If you have any questions or comments about this advisory:

Email us at security@mautic.org

Ссылки

Пакеты

Наименование

mautic/core

composer

Затронутые версииВерсия исправления

>= 5.1.0, < 5.1.1

5.1.1

EPSS

Процентиль: 54%

0.00311

Низкий

6.9 Medium

CVSS4

4.3 Medium

CVSS3

CVE ID

CVE-2024-47059

Дефекты

CWE-200

CWE-204

Связанные уязвимости

CVE-2024-47059

CVSS3: 4.3

nvd

больше 1 года назад

When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak. However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notification. This difference could be used to perform username enumeration.

EPSS

Процентиль: 54%

0.00311

Низкий

6.9 Medium

CVSS4

4.3 Medium

CVSS3

CVE ID

CVE-2024-47059

Дефекты

CWE-200

CWE-204