Vulnerability 67397 - CERT Civis.Net

Vulnerability Name:

CCN-67397

Published:

2011-05-10

Updated:

2011-05-10

Summary:

Mahara could allow a remote attacker to bypass security restrictions, caused by an error in the search.json.php script. The NSTITUTIONALADMIN permission is not checked. An attacker could exploit this vulnerability to search and suspend other users.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Consequences:

Bypass Security

References:

Source: XF
Type: UNKNOWN
mahara-searchjson-sec-bypass(67397)

Source: CCN
Type: Mahara Web site
Mahara 1.3.6

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:mahara:mahara:1.3.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK