Incorrect Permission Assignment for Critical Resource

CVE-2017-1000153

High

9.8/10

Summary

Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default email, Mahara fails to invalidate old link.Consequently the link in email can be used to gain access to the user's account.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-732 - Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

Advisory Timeline

Published Nov 03, 2017

Incorrect Permission Assignment for Critical Resource

CVE-2017-1000153

Summary

CWE-732 - Incorrect Permission Assignment for Critical Resource

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS