Forums | Mahara Community

Security Announcements /
Security issue relating to Access control and profile pictures <15.04.8, <15.10.4, <16.04.2

Aaron Wells's profile picture
Posts: 896

11 July 2016, 5:13 PM

When a profile picture is accessed directly by its URL, Mahara failed to perform any access control checks. Consequently any of a user's uploaded profile pictures could be viewed by anyone, whether or not they were currently selected as the "default" or used in any pages.

Category: Access control
Severity: Medium
Versions affected: <15.04.8, <15.10.4, <16.04.2
Reported by: Robert Lyon
Bug reports:
CVE reference: 2017-1000155

Edits to this post:
1 result