FKIE_CVE-2025-5257

Vulnerability from fkie_nvd - Published: 2025-05-28 17:15 - Updated: 2025-05-29 14:29
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Summary
SummaryThis advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially indexed by search engines. This could lead to the unintended disclosure of draft content or sensitive information. Unauthorized Access to Unpublished Page Previews: The page preview functionality for unpublished content, accessible via predictable URLs (e.g., /page/preview/1, /page/preview/2), lacked proper authorization checks. This allowed any unauthenticated user to view content that was not yet intended for public release, and allowed search engines to index these private preview URLs, making the content publicly discoverable. MitigationMautic has patched this vulnerability by enforcing proper permission checks on preview pages. Users should upgrade to the patched version of Mautic or later.
References
security@mautic.orghttps://github.com/mautic/mautic/security/advisories/GHSA-cqx4-9vqf-q3m8
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SummaryThis advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially indexed by search engines. This could lead to the unintended disclosure of draft content or sensitive information.\n\nUnauthorized Access to Unpublished Page Previews: The page preview functionality for unpublished content, accessible via predictable URLs (e.g., /page/preview/1, /page/preview/2), lacked proper authorization checks. This allowed any unauthenticated user to view content that was not yet intended for public release, and allowed search engines to index these private preview URLs, making the content publicly discoverable.\nMitigationMautic has patched this vulnerability by enforcing proper permission checks on preview pages. Users should upgrade to the patched version of Mautic or later."
    },
    {
      "lang": "es",
      "value": "Resumen: Este aviso aborda una vulnerabilidad de seguridad en Mautic que permit\u00eda a usuarios no autenticados acceder a vistas previas de p\u00e1ginas no publicadas, las cuales podr\u00edan ser indexadas por motores de b\u00fasqueda. Esto podr\u00eda provocar la divulgaci\u00f3n involuntaria de borradores o informaci\u00f3n confidencial. Acceso no autorizado a vistas previas de p\u00e1ginas no publicadas: La funci\u00f3n de vista previa de p\u00e1ginas para contenido no publicado, accesible mediante URL predecibles (p. ej., /page/preview/1, /page/preview/2), carec\u00eda de las comprobaciones de autorizaci\u00f3n adecuadas. Esto permit\u00eda a cualquier usuario no autenticado ver contenido que a\u00fan no estaba destinado a ser publicado, y permit\u00eda a los motores de b\u00fasqueda indexar estas URL de vista previa privadas, haciendo que el contenido fuera visible p\u00fablicamente. Mitigaci\u00f3n: Mautic ha corregido esta vulnerabilidad implementando las comprobaciones de permisos adecuadas en las p\u00e1ginas de vista previa. Los usuarios deben actualizar a la versi\u00f3n corregida de Mautic o una versi\u00f3n posterior."
    }
  ],
  "id": "CVE-2025-5257",
  "lastModified": "2025-05-29T14:29:50.247",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "security@mautic.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-28T17:15:25.917",
  "references": [
    {
      "source": "security@mautic.org",
      "url": "https://github.com/mautic/mautic/security/advisories/GHSA-cqx4-9vqf-q3m8"
    }
  ],
  "sourceIdentifier": "security@mautic.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1284"
        }
      ],
      "source": "security@mautic.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.