First published: Fri Nov 03 2017(Updated: )
Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default email, Mahara fails to invalidate old link.Consequently the link in email can be used to gain access to the user's account.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mahara Mahara | =15.04-rc1 | |
Mahara Mahara | =15.04-rc2 | |
Mahara Mahara | =15.04.0 | |
Mahara Mahara | =15.04.1 | |
Mahara Mahara | =15.04.2 | |
Mahara Mahara | =15.04.3 | |
Mahara Mahara | =15.04.4 | |
Mahara Mahara | =15.04.5 | |
Mahara Mahara | =15.04.6 | |
Mahara Mahara | =15.04.7 | |
Mahara Mahara | =15.04.8 | |
Mahara Mahara | =15.04.9 | |
Mahara Mahara | =16.04-rc1 | |
Mahara Mahara | =16.04-rc2 | |
Mahara Mahara | =16.04.0 | |
Mahara Mahara | =16.04.1 | |
Mahara Mahara | =16.04.2 | |
Mahara Mahara | =16.04.3 | |
Mahara Mahara | =15.10.0 | |
Mahara Mahara | =15.10.1 | |
Mahara Mahara | =15.10.2 | |
Mahara Mahara | =15.10.3 | |
Mahara Mahara | =15.10.4 | |
Mahara Mahara | =15.10.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-1000153 is a vulnerability in Mahara before versions 15.04.10, 15.10.6, and 16.04.4 that allows incorrect access control after the password reset link is sent via email.
CVE-2017-1000153 has a severity score of 9.8 (critical).
CVE-2017-1000153 affects Mahara versions 15.04 before 15.04.10, 15.10 before 15.10.6, and 16.04 before 16.04.4.
The impact of CVE-2017-1000153 is that an attacker can use the compromised password reset link to gain unauthorized access.
To fix CVE-2017-1000153, users should upgrade to Mahara versions 15.04.10, 15.10.6, or 16.04.4.