CVE-2024-47055: 
PHP vulnerability analysis and mitigation

A security vulnerability has been identified in Mautic's segment cloning functionality, tracked as CVE-2024-47055. The vulnerability allows any authenticated user to clone segments without proper authorization checks. This issue was discovered and disclosed on May 28, 2025, affecting Mautic versions above 5.0 up to versions 5.2.6 and 6.0.2, where it was patched (GitHub Advisory).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) and Missing Authorization issue within the cloneAction of the segment management functionality. The CVSS v3.1 base score is 4.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, needs no user interaction, has unchanged scope, and results in no confidentiality impact, low integrity impact, and no availability impact (GitHub Advisory).

The vulnerability allows authenticated users to bypass intended permission restrictions and clone segments even when they lack the necessary permissions to create new ones. This creates a potential security breach in the permission hierarchy of the application (GitHub Advisory).

Users are advised to update Mautic to version 5.2.6 or 6.0.2, which implement proper authorization checks for the cloneAction within the ListController.php. The update ensures that users attempting to clone segments possess the appropriate creation permissions. No workarounds are available for this vulnerability (GitHub Advisory).