Forums | Mahara Community
Security Announcements
/
Security issue relating to access control in Mahara groups <15.04.9, <15.10.5, <16.04.3
08 August 2016, 17:44
Access to a group's configuration page is meant to be limited to users with the "admin" role in the group. However, any user with any level of membership in the group could access the configuration page and make changes to the group's configuration.
Category: Access control
Severity: High
Versions Affected: <15.04.9, <15.10.5, <16.04.3
Reported by: Ghada El-Zoghbi
Bug report: https://bugs.launchpad.net/mahara/+bug/1609200
CVE reference: 2017-1000156
We strongly recommend that all Mahara administrators upgrade to the latest version: 15.04.9, 15.10.5, or 16.04.3.
Edits to this post:
- Kristina Hoeppner - 07 November 2017, 12:46