Vulnerability CVE-2017-1000157


Published: 2017-11-03

Description:
Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and 16.10 before 16.10.4 and 17.04 before 17.04.2 are vulnerable to recording plain text passwords in the event_log table during the user creation process if full event logging was turned on.

Type:

CWE-200

(Information Exposure)

Vendor: Mahara
Product: Mahara 
Version:
17.04.1
17.04.0
17.04
16.10.3
16.10.2
16.10.1
16.10.0
16.10
16.04.6
16.04.5
16.04.4
16.04.3
16.04.2
16.04.1
16.04.0
16.04
15.04.9
15.04.8
15.04.7
15.04.6
15.04.5
15.04.4
15.04.3
15.04.2
15.04.12
15.04.11
15.04.10
15.04.1
15.04.0
15.04

CVSS2 => (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
https://bugs.launchpad.net/mahara/+bug/1692749

Related CVE
CVE-2018-11196
Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 can be used as medium to transmit viruses by placing infected files into a Leap2A archive and uploading that to Mahara. In contrast to other ZIP files that are uploaded, Cl...
CVE-2018-11195
Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to the browser "back and refresh" attack. This allows malicious users with physical access to the web browser of a Mahara user, after they have logged in, to...
CVE-2018-11565
Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to mentioning the usernames that are already taken by people registered in the system rather than masking that information.
CVE-2018-6182
Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed by POST packages. Therefore, Mahara should not rely on TinyMCE's code stripping alone but also clean input on the serve...
CVE-2017-17455
Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middle attack, to interact with Mahara on the HTTP protocol rather than HTTPS even when an SSL certificate is present.
CVE-2017-17454
Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and in...
CVE-2017-1000141
An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to eit...
CVE-2017-1000171
Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to the Mahara access log in plain text.

Copyright 2018, cxsecurity.com

 

Back to Top