Forums | Mahara Community

Security Announcements /
Security issue relating to Access control and password reset link <15.04.10, <15.10.6, <16.04.4


This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 749

25 October 2016, 20:39

After the password reset link is sent via email and then user changes default email Mahara fails to invalidate old link.
Consequently the link in email can be used to gain access to the user's account.

Category: Access control
Severity: Low
Versions affected: <15.04.10, <15.10.6, <16.04.4
Reported by: Sajibe kanti
Bug reports: https://bugs.launchpad.net/mahara/+bug/1577251
CVE reference: 2017-1000153

Edits to this post:

1 result