PT-2017-13288 · Catalyst It · Mahara
Kris-Hoeppner
+4
·
Published
2017-10-31
·
Updated
2019-10-03
·
CVE-2017-14163
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Mahara versions prior to 15.04.14
Mahara versions 16.x prior to 16.04.8
Mahara versions 16.10.x prior to 16.10.5
Mahara versions 17.x prior to 17.04.3
Description
An issue allows unauthorized access to a user's account if the browser is closed without logging out of Mahara. The value in the
usr session table remains, and an attacker can exploit this by adjusting the mahara cookie to the old value, thus gaining access to the user's account.Recommendations
For Mahara versions prior to 15.04.14, update to version 15.04.14 or later.
For Mahara versions 16.x prior to 16.04.8, update to version 16.04.8 or later.
For Mahara versions 16.10.x prior to 16.10.5, update to version 16.10.5 or later.
For Mahara versions 17.x prior to 17.04.3, update to version 17.04.3 or later.
Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mahara