Forums | Mahara Community

Security Announcements /
RSS feed password vulnerability <1.5.10, <1.6.5, <1.7.1


This topic is closed. Only moderators and the group administrators can post new replies.
Aaron Wells's profile picture
Posts: 896

03 May 2013, 12:54

Potential compromise of stored passwords in RSS blocks

Category: Password security
Severity: Low
Versions affected: <1.7.1, <1.6.5, <1.5.10
Reported by: Aaron Wells
Bug Report: https://bugs.launchpad.net/bugs/1016253 https://bugs.launchpad.net/bugs/1171714 https://bugs.launchpad.net/bugs/1172096
CVE references: CVE-2013-7410, CVE-2013-7411, CVE-2013-7412, CVE-2013-7413

A bug created the potential for the username and password stored in an "externalfeed" RSS block to become visible to a user other than its creator. This vulnerability has been fixed by the Mahara core developers.

Upgrading to Mahara 1.5.10, 1.6.5, or 1.7.1 is strongly recommended.

Download links for fixed versions:

Update from Kristina was for adding CVE references

Edits to this post:
1 result