CVE-2017-1000153 — CRITICAL (9.8)

Vulnerability Description

Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default email, Mahara fails to invalidate old link.Consequently the link in email can be used to gain access to the user's account.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mahara	Mahara	15.04

Related Weaknesses (CWE)

CWE-732

References

https://bugs.launchpad.net/mahara/+bug/1577251ExploitIssue TrackingPatch
https://bugs.launchpad.net/mahara/+bug/1577251ExploitIssue TrackingPatch

FAQ

What is CVE-2017-1000153?

CVE-2017-1000153 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default ...

How severe is CVE-2017-1000153?

CVE-2017-1000153 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-1000153?

Check the references section above for vendor advisories and patch information. Affected products include: Mahara Mahara.