Forums | Mahara Community
Security issue relating to disclosing information <16.10.7; <17.04.5; <17.10.2
17 January 2018, 5:23 PM
Have page forgotpass.php use captcha field (if configured) and also return generic message to avoid disclosing sensitive information
Vuln type: disclosing information
Impact: Allows one to work out a valid username with in Mahara
Mahara 16.10 before 16.10.7, 17.04 before 17.04.5 and 17.10 before 17.10.2 using https are vulnerable to hackers working out valid usernames via using the forgot pass link.
Reported by: Son Nguyen