Mahara ePortfolio System

Mahara Community

Security Announcements - Privilege escalation in Mahara 1.1.6 and 1.0.12

Security Announcements » Privilege escalation in Mahara 1.1.6 and 1.0.12
Fri, 30 Oct 2009, 10:31 AM
François Marier
Posts: 10

Category:Privilege escalation
Severity:Major
Versions affected:< 1.0.13, < 1.1.7
Reported by:Ruslan Kabalin of Lancaster University Network Services
Identifier: CVE-2009-3298

It has been discovered that in previous releases of Mahara, it was possible for an institution administrator to reset the password of the site administrator in certain cases.

Upgrading to Mahara 1.1.7 or 1.0.13 is strongly recommended for all sites using multiple institutions.