Mahara

Mahara Community

Security Announcements

Privilege escalation in Mahara 1.1.6 and 1.0.12

This topic is closed. Only moderators and the group admins can post new replies
Thu, 29 Oct 2009, 5:31 PM

François Marier

Posts: 94

Category:Privilege escalation
Severity:Major
Versions affected:< 1.0.13, < 1.1.7
Reported by:Ruslan Kabalin of Lancaster University Network Services
Identifier: CVE-2009-3298

It has been discovered that in previous releases of Mahara, it was possible for an institution administrator to reset the password of the site administrator in certain cases.

Upgrading to Mahara 1.1.7 or 1.0.13 is strongly recommended for all sites using multiple institutions.