Launchpad CVE tracker

CVE 2017-1000153

Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default email, Mahara fails to invalidate old link.Consequently the link in email can be used to gain access to the user's account.

Related bugs and status

CVE-2017-1000153 (Candidate) is related to these bugs:

Bug #1577251: Should invalidate password reset links when a user changes their primary email address

		In	Importance	Status
1577251	Should invalidate password reset links when a user changes their primary email address	Mahara	Low	Fix Released
1577251	Should invalidate password reset links when a user changes their primary email address	Mahara 15.10	Low	Fix Released
1577251	Should invalidate password reset links when a user changes their primary email address	Mahara 15.04	Low	Fix Released
1577251	Should invalidate password reset links when a user changes their primary email address	Mahara 16.10	Low	Fix Released
1577251	Should invalidate password reset links when a user changes their primary email address	Mahara 16.04	Low	Fix Released

See the

CVE page on Mitre.org for more details.

References

MISC: https://bugs.launchpad...

Launchpad.net

CVE 2017-1000153

Related bugs and status

Related bugs

References