CVE-2024-3448
MEDIUMMautic < 4.4.9 - Server-Side Request Forgery via AJAX Plugin Focus Check Iframe Availability
Title source: llmDescription
Users with low privileges can perform certain AJAX actions. In this vulnerability instance, improper access to ajax?action=plugin:focus:checkIframeAvailability leads to a Server-Side Request Forgery by analyzing the error messages returned from the back-end. Allowing an attacker to perform a port scan in the back-end. At the time of publication of the CVE no patch is available.
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
https://huntr.com/bounties/4d72d300-92d6-4e3c-93d8-52fe47396ae0
Scores
CVSS v3
5.0
EPSS
0.0044
EPSS Percentile
35.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
Mautic/Mautic
< 4.4.9
Published
Apr 10, 2024
Tracked Since
Feb 18, 2026