CVE-2024-47053

CVE-2024-47053 is an improper authorization vulnerability (CWE-285) in Mautic's API authorization implementation, specifically tied to its HTTP Basic Authentication. The flaw affects Mautic, an open-source marketing automation platform, where any authenticated user can bypass intended access controls to retrieve all reports and associated sensitive data via the API. This circumvents role-based permissions such as "Reporting Permissions > View Own" and "Reporting Permissions > View Others," which are designed to restrict access to non-System Reports. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), rated as high severity due to its network accessibility and confidentiality impact.

Any low-privileged authenticated user can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation involves crafting API requests to access restricted reports, granting unauthorized visibility into sensitive data regardless of the user's assigned roles or permissions. This enables potential data exfiltration of reports containing confidential information, such as customer insights or marketing analytics, without altering or disrupting the system.

For mitigation details, refer to the official Mautic GitHub security advisory at GHSA-8xv7-g2q3-fqgc, which addresses the issue, along with Mautic's API settings documentation at docs.mautic.org/en/5.2/configuration/settings.html#api-settings. The advisory was published on 2025-02-26.