fkie_cve-2024-47055
Vulnerability from fkie_nvd
Published
2025-05-28 18:15
Modified
2025-05-29 14:29
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks. Insecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the cloneAction of the segment management. This allows an authenticated user to bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones. MitigationUpdate Mautic to a version that implements proper authorization checks for the cloneAction within the ListController.php. Ensure that users attempting to clone segments possess the appropriate creation permissions.
References
security@mautic.orghttps://github.com/mautic/mautic/security/advisories/GHSA-vph5-ghq3-q782
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks.\n\nInsecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the cloneAction\u00a0of the segment management. This allows an authenticated user to bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones.\n\nMitigationUpdate Mautic to a version that implements proper authorization checks for the cloneAction\u00a0within the ListController.php. Ensure that users attempting to clone segments possess the appropriate creation permissions."
    },
    {
      "lang": "es",
      "value": "Resumen: Este aviso aborda una vulnerabilidad de seguridad en Mautic relacionada con la funci\u00f3n de clonaci\u00f3n de segmentos. Esta vulnerabilidad permite a cualquier usuario autenticado clonar segmentos sin las comprobaciones de autorizaci\u00f3n adecuadas. Referencia directa a objeto insegura (IDOR) / Falta de autorizaci\u00f3n: Existe una vulnerabilidad de falta de autorizaci\u00f3n en la acci\u00f3n cloneAction de la administraci\u00f3n de segmentos. Esto permite a un usuario autenticado eludir las restricciones de permisos previstas y clonar segmentos incluso si no cuenta con los permisos necesarios para crear nuevos. Mitigaci\u00f3n: Actualice Mautic a una versi\u00f3n que implemente las comprobaciones de autorizaci\u00f3n adecuadas para la acci\u00f3n cloneAction dentro de ListController.php. Aseg\u00farese de que los usuarios que intenten clonar segmentos posean los permisos de creaci\u00f3n adecuados."
    }
  ],
  "id": "CVE-2024-47055",
  "lastModified": "2025-05-29T14:29:50.247",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security@mautic.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-28T18:15:24.930",
  "references": [
    {
      "source": "security@mautic.org",
      "url": "https://github.com/mautic/mautic/security/advisories/GHSA-vph5-ghq3-q782"
    }
  ],
  "sourceIdentifier": "security@mautic.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security@mautic.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.