{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-47059","assignerOrgId":"4e531c38-7a33-45d3-98dd-d909c0d8852e","state":"PUBLISHED","assignerShortName":"Mautic","dateReserved":"2024-09-17T13:41:00.585Z","datePublished":"2024-09-18T21:19:26.951Z","dateUpdated":"2024-09-25T20:46:12.074Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://packagist.org","defaultStatus":"unaffected","packageName":"mautic/core","product":"Mautic","repo":"https://github.com/mautic/mautic","vendor":"Mautic","versions":[{"lessThan":"< 5.1.1","status":"affected","version":">= 5.1.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"remediation reviewer","value":"Patryk Gruszka"},{"lang":"en","type":"remediation verifier","value":"John Linhart"},{"lang":"en","type":"remediation developer","value":"Tomasz Kowalczyk"},{"lang":"en","type":"finder","value":"Rafał Kamiński"}],"datePublic":"2024-09-18T20:46:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.<br><br>However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notification.<br><br>This difference could be used to perform username enumeration."}],"value":"When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.\n\nHowever when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notification.\n\nThis difference could be used to perform username enumeration."}],"impacts":[{"capecId":"CAPEC-575","descriptions":[{"lang":"en","value":"CAPEC-575 Account Footprinting"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"4e531c38-7a33-45d3-98dd-d909c0d8852e","shortName":"Mautic","dateUpdated":"2024-09-19T19:29:53.542Z"},"references":[{"url":"https://github.com/mautic/mautic/security/advisories/GHSA-8vff-35qm-qjvv"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to 5.1.1 or later."}],"value":"Update to 5.1.1 or later."}],"source":{"advisory":"GHSA-8vff-35qm-qjvv","discovery":"USER"},"timeline":[{"lang":"en","time":"2024-08-06T13:09:00.000Z","value":"Issue reported"},{"lang":"en","time":"2024-08-06T13:10:00.000Z","value":"Fix proposed"},{"lang":"en","time":"2023-09-17T12:23:00.000Z","value":"QA passed"}],"title":"Users enumeration - weak password login","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"affected":[{"vendor":"mautic","product":"mautic","cpes":["cpe:2.3:a:mautic:mautic:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","versions":[{"version":"5.1.0","status":"affected","lessThan":"5.1.1","versionType":"semver"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-09-25T20:45:37.083409Z","id":"CVE-2024-47059","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-25T20:46:12.074Z"}}]}}