CVE-2024-47051

9.1 CRITICAL
Published: February 26, 2025 Modified: October 16, 2025
View on NVD

Description

This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users. * Remote Code Execution (RCE) via Asset Upload: A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts. * Path Traversal File Deletion: A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/mautic/mautic/security/advisories/GHSA-73gx-x7r9-77x2
Source: security@mautic.org
Vendor Advisory
https://owasp.org/www-community/attacks/Code_Injection
Source: security@mautic.org
Not Applicable
https://owasp.org/www-community/attacks/Path_Traversal
Source: security@mautic.org
Not Applicable

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.1 / 10.0
EPSS (Exploit Probability)
0.7%
72th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-23 CWE-94

Affected Vendors

acquia

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3