Forums | Mahara Community
RSS feed password vulnerability <1.5.10, <1.6.5, <1.7.1
03 May 2013, 12:54
Potential compromise of stored passwords in RSS blocks
Category: Password security
Versions affected: <1.7.1, <1.6.5, <1.5.10
Reported by: Aaron Wells
Bug Report: https://bugs.launchpad.net/bugs/1016253 https://bugs.launchpad.net/bugs/1171714 https://bugs.launchpad.net/bugs/1172096
CVE references: CVE-2013-7410, CVE-2013-7411, CVE-2013-7412, CVE-2013-7413
A bug created the potential for the username and password stored in an "externalfeed" RSS block to become visible to a user other than its creator. This vulnerability has been fixed by the Mahara core developers.
Upgrading to Mahara 1.5.10, 1.6.5, or 1.7.1 is strongly recommended.
Download links for fixed versions:
Update from Kristina was for adding CVE references
Edits to this post:
- Kristina Hoeppner - 24 November 2014, 13:23