Forums | Mahara Community
Security announcements
/
Information disclosure in Mahara 1.1.4
This topic is closed. Only moderators and the group administrators can post new replies.
21 June 2009, 23:01
| Category: | Information disclosure |
| Severity: | Major |
| Versions affected: | < 1.1.5 |
| Reported by: | Mahara Team |
| Identifier: | CVE-2009-2171 |
Mahara lets a user see an 'artefact' whenever that artefact has been placed within a 'view' to which the user has explicitly been granted access. While Mahara made some permission checks before presenting the user with a list of artefacts to include in a view, it did not apply these checks when saving the view.
Therefore, a user could gain access to another user's artefact without that other user's permission.
Edits to this post:
-
François Marier
-
23 June 2009, 16:49
1 result