Forums | Mahara Community

Security Announcements /
Security issue relating to disclosing information <16.10.7; <17.04.5; <17.10.2

This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 767

17 January 2018, 17:23

Have page forgotpass.php use captcha field (if configured) and also return generic message to avoid disclosing sensitive information

Vuln type: disclosing information
Impact: Allows one to work out a valid username with in Mahara

Mahara 16.10 before 16.10.7, 17.04 before 17.04.5 and 17.10 before 17.10.2 using https are vulnerable to hackers working out valid usernames via using the forgot pass link.

Reported by: Son Nguyen
Bug reports:

1 result