CVE-2024-47057: 
PHP vulnerability analysis and mitigation

A security vulnerability (CVE-2024-47057) was discovered in Mautic's "Forget your password" functionality that allows unauthenticated users to enumerate valid usernames. The vulnerability was published on May 28, 2025, and affects Mautic versions greater than 1.0 (Mautic Advisory, NVD).

The vulnerability exists in the password reset functionality where differences in response times between existing and non-existing users, combined with a lack of request limiting, enable timing-based attacks. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability is classified as CWE-203 (Observable Discrepancy) (Mautic Advisory, Wiz).

The vulnerability allows attackers to determine the existence of valid usernames in the system through timing analysis of password reset responses. This information disclosure could potentially be used as a stepping stone for further attacks such as brute force attempts or targeted phishing campaigns (Wiz).

The vulnerability has been patched in Mautic versions 6.0.2, 5.2.6, and 4.4.16. The fix normalizes password reset response times to respond at the same time regardless of user existence. No workarounds are available, and users are advised to upgrade to a patched version (Mautic Advisory).