GHSA-vph5-ghq3-q782: Mautic segment cloning doesn't have a proper permission check

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-47055

Mautic segment cloning doesn’t have a proper permission check

Moderate severity GitHub Reviewed Published May 28, 2025 in mautic/mautic • Updated May 28, 2025

Package

Affected versions

>= 5.0.0-alpha, < 5.2.6

>= 6.0.0-alpha, < 6.0.2

Patched versions

5.2.6

6.0.2

Summary

This advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks.

Insecure Direct Object Reference (IDOR) / Missing Authorization: A missing authorization vulnerability exists in the cloneAction of the segment management. This allows an authenticated user to bypass intended permission restrictions and clone segments even if they lack the necessary permissions to create new ones.

Mitigation

Update Mautic to a version that implements proper authorization checks for the cloneAction within the ListController.php. Ensure that users attempting to clone segments possess the appropriate creation permissions.

Workarounds

None

If you have any questions or comments about this advisory:
Email us at security@mautic.org

References

• GHSA-vph5-ghq3-q782

Published to the GitHub Advisory Database

May 28, 2025

Last updated

May 28, 2025