CVE-2024-47053: 
PHP vulnerability analysis and mitigation

A critical authorization vulnerability was discovered in Mautic's HTTP Basic Authentication implementation affecting the reporting API. The vulnerability (CVE-2024-47053) was disclosed on February 25, 2025, affecting Mautic versions prior to 5.2.3. The flaw allows any authenticated user to access all reports and their associated data via the API, regardless of their assigned roles or permissions (Mautic Advisory).

The vulnerability stems from an improper authorization implementation in Mautic's API Authorization system. The flaw bypasses the intended access controls governed by the 'Reporting Permissions > View Own' and 'Reporting Permissions > View Others' permissions, which should restrict access to non-System Reports. The vulnerability has been assigned a CVSS v3.1 score of 7.7 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating network vector attack with low complexity and requiring low privileges (Mautic Advisory).

The vulnerability allows unauthorized access to sensitive report data. Any authenticated user can access all reports and their associated data through the API, regardless of their permission levels. This could lead to exposure of confidential information and bypass of established access control mechanisms (Mautic Advisory).

The primary mitigation is to update to Mautic version 5.2.3 or later which contains the fix for this vulnerability. As a temporary workaround, administrators can disable the API functionality entirely in Mautic's configuration settings (Mautic Advisory, Mautic Docs).