CVE-2024-47059: 
PHP vulnerability analysis and mitigation

A username enumeration vulnerability was discovered in Mautic version 5.1.0, identified as CVE-2024-47059. The vulnerability was disclosed on September 18, 2024, affecting the Mautic core package. The issue allows potential attackers to enumerate valid usernames through differential responses during the login process (Vendor Advisory).

The vulnerability stems from inconsistent error messages during the login process. When attempting to log in with a correct username but an incorrect weak password, the system responds with a 'password is too weak' notification. However, when using an incorrect username with a weak password, the system returns an 'Invalid credentials' message. This difference in response messages creates an information disclosure vector. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows malicious actors to determine valid usernames within the Mautic system. This information disclosure could be leveraged as a stepping stone for further attacks, such as targeted brute force attempts or social engineering campaigns (Vendor Advisory).

The vulnerability has been patched in Mautic version 5.1.1. Users are advised to update to this version or later to address the security issue. No alternative workarounds have been published (Vendor Advisory).