CVE-2024-47055

{"id": "CVE-2024-47055", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@mautic.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2025-05-28T18:15:24.930", "references": [{"url": "https://github.com/mautic/mautic/security/advisories/GHSA-vph5-ghq3-q782", "tags": ["Vendor Advisory", "Mitigation"], "source": "security@mautic.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@mautic.org", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks.\n\nInsecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the cloneAction\u00a0of the segment management. This allows an authenticated user to bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones.\n\nMitigationUpdate Mautic to a version that implements proper authorization checks for the cloneAction\u00a0within the ListController.php. Ensure that users attempting to clone segments possess the appropriate creation permissions."}, {"lang": "es", "value": "Resumen: Este aviso aborda una vulnerabilidad de seguridad en Mautic relacionada con la funci\u00f3n de clonaci\u00f3n de segmentos. Esta vulnerabilidad permite a cualquier usuario autenticado clonar segmentos sin las comprobaciones de autorizaci\u00f3n adecuadas. Referencia directa a objeto insegura (IDOR) / Falta de autorizaci\u00f3n: Existe una vulnerabilidad de falta de autorizaci\u00f3n en la acci\u00f3n cloneAction de la administraci\u00f3n de segmentos. Esto permite a un usuario autenticado eludir las restricciones de permisos previstas y clonar segmentos incluso si no cuenta con los permisos necesarios para crear nuevos. Mitigaci\u00f3n: Actualice Mautic a una versi\u00f3n que implemente las comprobaciones de autorizaci\u00f3n adecuadas para la acci\u00f3n cloneAction dentro de ListController.php. Aseg\u00farese de que los usuarios que intenten clonar segmentos posean los permisos de creaci\u00f3n adecuados."}], "lastModified": "2025-10-03T14:11:44.813", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28D0344B-E313-4B70-BE1A-203412516DBB", "versionEndExcluding": "5.2.6", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:acquia:mautic:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E3CB2C3-C981-460E-BA2E-5B00EE3A7193", "versionEndExcluding": "6.0.2", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mautic.org"}