Forums | Mahara Community

Security Announcements /
Security issue relating to access control in Mahara groups <15.04.9, <15.10.5, <16.04.3

Aaron Wells's profile picture
Posts: 896

08 August 2016, 5:44 PM

Access to a group's configuration page is meant to be limited to users with the "admin" role in the group. However, any user with any level of membership in the group could access the configuration page and make changes to the group's configuration.

Category: Access control
Severity: High
Versions Affected: <15.04.9, <15.10.5, <16.04.3
Reported by: Ghada El-Zoghbi
Bug report:
CVE reference: 2017-1000156

We strongly recommend that all Mahara administrators upgrade to the latest version: 15.04.9, 15.10.5, or 16.04.3.

Edits to this post:
1 result