CVE-2024-47050: 
PHP vulnerability analysis and mitigation

CVE-2024-47050 is a Cross-Site Scripting (XSS) vulnerability discovered in Mautic's tracking functionality, affecting versions from 2.6.0 up to (excluding) 4.4.13 and versions from 5.0.0 up to (excluding) 5.1.1. The vulnerability was disclosed on September 18, 2024, and allows exploitation through the Page URL variable without requiring authentication (Vendor Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 6.1 (Medium) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Mautic assigned a slightly lower CVSS score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (NVD).

The vulnerability could allow attackers to execute cross-site scripting attacks through the Page URL variable, potentially leading to unauthorized data access and manipulation of web content. The attack requires user interaction but does not require authentication, making it particularly concerning for public-facing Mautic installations (Vendor Advisory).

Users are strongly advised to upgrade to Mautic version 4.4.13 or 5.1.1 or later, which contain patches for this vulnerability. No alternative workarounds are available (Vendor Advisory).