Forums | Mahara Community

Security Announcements /
Security issue relating to session fixation and privilege escalation <1.8.6, <1.9.4, <1.10.1


This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 776

26 November 2014, 13:36

Password reset key leaked via HTTP "Referer" field

Category: Session fixation
Severity: Low
Versions affected: <1.8.6, <1.9.4, <1.10.1
Reported by: Dushyant Sahu
Bug report: https://bugs.launchpad.net/mahara/+bug/1333096
CVE reference: CVE-2014-8694.

-------------------------------------------------------------------------------------------------------------------

CLI scripts can be executed from the web

Category: Escalation of privileges
Severity: Medium
Versions affected: <1.8.6, <1.9.4, <1.10.1
Reported by: Aaron Barnes
Bug report: https://bugs.launchpad.net/mahara/+bug/1387903
CVE reference: CVE-2014-8695

CLI scripts are intended to be accessible only by administrators with CLI access to the server, but not from the web. A check is implemented to ensure that CLI scripts can only be run from the command line rather than the web server.

1 result