Launchpad CVE tracker

CVE 2010-1670

Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information.

Related bugs and status

CVE-2010-1670 (Candidate) is related to these bugs:

Bug #594891: Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password

		In	Importance	Status
594891	Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password	Mahara	Medium	Fix Released
594891	Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password	Mahara 1.0	Medium	Fix Released
594891	Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password	Mahara 1.1	Medium	Fix Released

Bug #602772: Sync mahara 1.2.5-1 (universe) from Debian unstable (main)

		In	Importance	Status
602772	Sync mahara 1.2.5-1 (universe) from Debian unstable (main)	mahara (Ubuntu)	Wishlist	Fix Released
602772	Sync mahara 1.2.5-1 (universe) from Debian unstable (main)	mahara (Ubuntu Jaunty)	Undecided	Fix Released
602772	Sync mahara 1.2.5-1 (universe) from Debian unstable (main)	mahara (Ubuntu Karmic)	Undecided	Fix Released
602772	Sync mahara 1.2.5-1 (universe) from Debian unstable (main)	mahara (Ubuntu Lucid)	Undecided	Fix Released
602772	Sync mahara 1.2.5-1 (universe) from Debian unstable (main)	mahara (Ubuntu Maverick)	Wishlist	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2010-1670

References