Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8vff-35qm-qjvv: Mautic allows users enumeration due to weak password login

Summary

When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.

However when an incorrect username is provided along side with weak password, the application responds with ’Invalid credentials’ notification.

This difference could be used to perform username enumeration.

Patches

Update to 5.1.1 or later.

If you have any questions or comments about this advisory:

Email us at [email protected]

ghsa
Open in Source

Summary

When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.

However when an incorrect username is provided along side with weak password, the application responds with ’Invalid credentials’ notification.

This difference could be used to perform username enumeration.

Patches

Update to 5.1.1 or later.

If you have any questions or comments about this advisory:

Email us at [email protected]

References

  • GHSA-8vff-35qm-qjvv

ghsa: Latest News

GHSA-84jw-g43v-8gjm: DOM Clobbering Gadget found in Rspack's AutoPublicPathRuntimeModule that leads to XSS
ghsa