Forums | Mahara Community
Information disclosure in Mahara 1.1.4
22 June 2009, 11:01 AM
|Versions affected:||< 1.1.5|
|Reported by:||Mahara Team|
Mahara lets a user see an 'artefact' whenever that artefact has been placed within a 'view' to which the user has explicitly been granted access. While Mahara made some permission checks before presenting the user with a list of artefacts to include in a view, it did not apply these checks when saving the view.
Therefore, a user could gain access to another user's artefact without that other user's permission.
Edits to this post:
- François Marier - 24 June 2009, 4:49 AM