03 May 2016, 13:22

Changes to Mahara's session management in 15.04.0, when Mahara is running on PHP version 5.3, were can sometimes cause two users on separate computers to be served the same session ID. This results in one user being "logged in" as the other user, with all that user's permissions and access. This situation can occur when a user takes an action that forces another user to be logged out of Mahara, such as an admin changing another user's account settings.

Category: Sessions
Severity: High
Versions affected: <15.04.7, <15.10.3, running PHP 5.3
Reported by: Aaron Wells
Bug reports: https://bugs.launchpad.net/mahara/+bug/1570744

CVE reference: 2017-1000152