We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-47057

User name enumeration possible due to response time difference on password reset form



Description

SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames. User Enumeration via Timing Attack: A user enumeration vulnerability exists in the "Forget your password" functionality. Differences in response times for existing and non-existing users, combined with a lack of request limiting, allow an attacker to determine the existence of usernames through a timing-based attack. MitigationPlease update to a version that addresses this timing vulnerability, where password reset responses are normalized to respond at the same time regardless of user existence.

Reserved 2024-09-17 | Published 2025-05-28 | Updated 2025-05-29 | Assigner Mautic


MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-203 Observable Discrepancy

Product status

Default status
unaffected

> 1.0 before < 6.0.2, < 5.2.6, < 4.4.16
affected

Credits

Tomasz Kowalczyk reporter

Patryk Gruszka remediation reviewer

Nick Vanpraet remediation reviewer

Tomasz Kowalczyk remediation developer

References

github.com/...mautic/security/advisories/GHSA-424x-cxvh-wq9p

cve.org (CVE-2024-47057)

nvd.nist.gov (CVE-2024-47057)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-47057

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.