The Mautic project has disclosed a severe security vulnerability, CVE-2024-47051, affecting versions before 5.2.3, with a CVSS score of 9.1. This vulnerability, which enables Remote Code Execution (RCE) and arbitrary file deletion, poses a significant threat to the security of businesses leveraging Mautic for marketing automation.
Mautic, the world’s largest open-source marketing automation platform, is used by over 200,000 organizations. However, the latest security advisory warns of two critical flaws that could be exploited by authenticated users:
- Remote Code Execution via Asset Upload:”A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts.”
Attackers can exploit this flaw to execute arbitrary code on the server, potentially gaining full control over the system.
- Path Traversal File Deletion:”A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system.”
This vulnerability could allow an attacker to delete critical system files, leading to service disruptions or data loss.
The Mautic team has released version 5.2.3, which addresses these vulnerabilities. Users and administrators are strongly advised to update immediately to protect their environments from potential exploitation.
Related Posts:
- Adobe releases the security updates to fix Remote Code Execution/Arbitrary file deletion in multi products
- Mobile Guardian Security Incident Affects Thousands of Student Devices
- Google Cloud Mishap: Accidental Deletion of $125 Billion Pension Fund’s Account Raises Concerns
- Google Cloud Report Reveals Accidental Deletion of Customer Data
