Vulnerability Name: | CVE-2017-1000153 (CCN-134473) | ||||||||||||
Assigned: | 2016-10-25 | ||||||||||||
Published: | 2016-10-25 | ||||||||||||
Updated: | 2019-10-03 | ||||||||||||
Summary: | Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default email, Mahara fails to invalidate old link.Consequently the link in email can be used to gain access to the user's account. | ||||||||||||
CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||
Vulnerability Type: | CWE-732 | ||||||||||||
Vulnerability Consequences: | Bypass Security | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2017-1000153 Source: CCN Type: Mahara Bugs: 1577251 Should invalidate password reset links when a user changes their primary email address Source: MISC Type: Exploit, Issue Tracking, Patch, Third Party Advisory https://bugs.launchpad.net/mahara/+bug/1577251 Source: XF Type: UNKNOWN mahara-cve20171000153-sec-bypass(134473) Source: CCN Type: Mahara Web site Mahara | ||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||
BACK |