Forums | Mahara Community
Security issue relating to Access control and password reset link <15.04.10, <15.10.6, <16.04.4
25 October 2016, 8:39 PM
After the password reset link is sent via email and then user changes default email Mahara fails to invalidate old link.
Consequently the link in email can be used to gain access to the user's account.
Category: Access control
Versions affected: <15.04.10, <15.10.6, <16.04.4
Reported by: Sajibe kanti
Bug reports: https://bugs.launchpad.net/mahara/+bug/1577251
CVE reference: 2017-1000153
Edits to this post:
- Kristina Hoeppner - 07 November 2017, 4:28 PM