CVE-2024-47055: CWE-862 Missing Authorization in Mautic Mautic
SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks. Insecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the cloneAction of the segment management. This allows an authenticated user to bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones. MitigationUpdate Mautic to a version that implements proper authorization checks for the cloneAction within the ListController.php. Ensure that users attempting to clone segments possess the appropriate creation permissions.
AI Analysis
Technical Summary
CVE-2024-47055 is a security vulnerability identified in Mautic, an open-source marketing automation platform widely used for managing marketing campaigns and customer engagement. The vulnerability is categorized as CWE-862, indicating a Missing Authorization issue. Specifically, it affects the segment cloning functionality within Mautic's ListController.php component. The flaw allows any authenticated user to perform the cloneAction on segments without undergoing proper authorization checks. This means that users who have basic authentication but lack explicit permissions to create new segments can bypass these restrictions and clone existing segments. The vulnerability is an Insecure Direct Object Reference (IDOR) type, where the system fails to verify whether the user is authorized to perform the requested action on the targeted resource. The CVSS v3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). The vulnerability affects Mautic versions greater than 5.0.0. While no known exploits are currently reported in the wild, the flaw could be leveraged by malicious insiders or compromised accounts to manipulate marketing segments, potentially leading to unauthorized data manipulation or escalation of privileges within the marketing automation environment. The recommended mitigation is to update Mautic to a version that enforces proper authorization checks for the cloneAction, ensuring that only users with segment creation permissions can perform cloning operations.
Potential Impact
For European organizations using Mautic for marketing automation, this vulnerability poses a risk primarily to the integrity of marketing data and segment management. Unauthorized cloning of segments could lead to unauthorized duplication and potential manipulation of customer segments, which might result in incorrect targeting, data inconsistencies, or leakage of segment configurations. While the vulnerability does not directly impact confidentiality or availability, the integrity compromise could indirectly affect marketing campaign effectiveness and compliance with data governance policies such as GDPR. Additionally, if attackers leverage this flaw as a stepping stone, it could facilitate further privilege escalation or unauthorized actions within the marketing platform. Organizations with strict data handling and segmentation requirements, especially those in regulated industries like finance, healthcare, or telecommunications, may face compliance risks if unauthorized segment cloning leads to improper data processing. The medium severity rating reflects that exploitation requires authenticated access, limiting exposure to internal users or compromised accounts, but the ease of exploitation (low complexity, no user interaction) means that once authenticated, attackers can readily abuse the flaw.
Mitigation Recommendations
1. Immediate update of Mautic to the latest patched version that includes proper authorization checks for the cloneAction in ListController.php. 2. Review and tighten user role and permission assignments within Mautic to ensure minimal necessary privileges are granted, particularly restricting segment creation permissions to trusted users only. 3. Implement monitoring and alerting on segment cloning activities to detect unusual or unauthorized cloning attempts. 4. Conduct regular audits of segment configurations and changes to identify unauthorized modifications. 5. Enforce strong authentication mechanisms (e.g., MFA) for all users accessing Mautic to reduce the risk of compromised accounts being used to exploit this vulnerability. 6. Consider network segmentation or access controls to limit Mautic access to only authorized personnel and systems. 7. Educate marketing and IT teams about the importance of permission hygiene and the risks associated with privilege escalation within marketing platforms.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden
CVE-2024-47055: CWE-862 Missing Authorization in Mautic Mautic
Description
SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks. Insecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the cloneAction of the segment management. This allows an authenticated user to bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones. MitigationUpdate Mautic to a version that implements proper authorization checks for the cloneAction within the ListController.php. Ensure that users attempting to clone segments possess the appropriate creation permissions.
AI-Powered Analysis
Technical Analysis
CVE-2024-47055 is a security vulnerability identified in Mautic, an open-source marketing automation platform widely used for managing marketing campaigns and customer engagement. The vulnerability is categorized as CWE-862, indicating a Missing Authorization issue. Specifically, it affects the segment cloning functionality within Mautic's ListController.php component. The flaw allows any authenticated user to perform the cloneAction on segments without undergoing proper authorization checks. This means that users who have basic authentication but lack explicit permissions to create new segments can bypass these restrictions and clone existing segments. The vulnerability is an Insecure Direct Object Reference (IDOR) type, where the system fails to verify whether the user is authorized to perform the requested action on the targeted resource. The CVSS v3.1 base score is 4.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). The vulnerability affects Mautic versions greater than 5.0.0. While no known exploits are currently reported in the wild, the flaw could be leveraged by malicious insiders or compromised accounts to manipulate marketing segments, potentially leading to unauthorized data manipulation or escalation of privileges within the marketing automation environment. The recommended mitigation is to update Mautic to a version that enforces proper authorization checks for the cloneAction, ensuring that only users with segment creation permissions can perform cloning operations.
Potential Impact
For European organizations using Mautic for marketing automation, this vulnerability poses a risk primarily to the integrity of marketing data and segment management. Unauthorized cloning of segments could lead to unauthorized duplication and potential manipulation of customer segments, which might result in incorrect targeting, data inconsistencies, or leakage of segment configurations. While the vulnerability does not directly impact confidentiality or availability, the integrity compromise could indirectly affect marketing campaign effectiveness and compliance with data governance policies such as GDPR. Additionally, if attackers leverage this flaw as a stepping stone, it could facilitate further privilege escalation or unauthorized actions within the marketing platform. Organizations with strict data handling and segmentation requirements, especially those in regulated industries like finance, healthcare, or telecommunications, may face compliance risks if unauthorized segment cloning leads to improper data processing. The medium severity rating reflects that exploitation requires authenticated access, limiting exposure to internal users or compromised accounts, but the ease of exploitation (low complexity, no user interaction) means that once authenticated, attackers can readily abuse the flaw.
Mitigation Recommendations
1. Immediate update of Mautic to the latest patched version that includes proper authorization checks for the cloneAction in ListController.php. 2. Review and tighten user role and permission assignments within Mautic to ensure minimal necessary privileges are granted, particularly restricting segment creation permissions to trusted users only. 3. Implement monitoring and alerting on segment cloning activities to detect unusual or unauthorized cloning attempts. 4. Conduct regular audits of segment configurations and changes to identify unauthorized modifications. 5. Enforce strong authentication mechanisms (e.g., MFA) for all users accessing Mautic to reduce the risk of compromised accounts being used to exploit this vulnerability. 6. Consider network segmentation or access controls to limit Mautic access to only authorized personnel and systems. 7. Educate marketing and IT teams about the importance of permission hygiene and the risks associated with privilege escalation within marketing platforms.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Mautic
- Date Reserved
- 2024-09-17T13:41:00.584Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68374b89182aa0cae2567814
Added to database: 5/28/2025, 5:44:41 PM
Last enriched: 7/7/2025, 4:40:52 AM
Last updated: 8/17/2025, 9:39:39 AM
Views: 12
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.