CVE-2024-47057

SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames.

User Enumeration via Timing Attack: A user enumeration vulnerability exists in the "Forget your password" functionality. Differences in response times for existing and non-existing users, combined with a lack of request limiting, allow an attacker to determine the existence of usernames through a timing-based attack.

MitigationPlease update to a version that addresses this timing vulnerability, where password reset responses are normalized to respond at the same time regardless of user existence.

Published: May 28, 2025
Updated: Aug 11, 2025
CVE: CVE-2024-47057
GHSA: GHSA-424x-cxvh-wq9p
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
mautic / core	1.0.0	4.4.16
mautic / core	5.0.0-alpha	5.2.6
mautic / core	6.0.0-alpha	6.0.2

https://github.com/mautic/mautic/security/advisories/GHSA-424x-cxvh-wq9p

Vulnerability Database

CVE-2024-47057