CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2017-17455
https://notcve.org/view.php?id=CVE-2017-17455
Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middle attack, to interact with Mahara on the HTTP protocol rather than HTTPS even when an SSL certificate is present. Mahara 16.10 en versiones anteriores a la 16.10.7, versiones 17.04 anteriores a la 17.04.5 y versiones 17.10 anteriores a la 17.10.2 es vulnerable a ser forzado, mediante un ataque Man-in-the-Middle (MitM), a interactuar con Mahara en el protocolo HTTP en lugar de HTTPS, incluso auque haya un certificado SSL. • https://bugs.launchpad.net/mahara/+bug/1734767 https://mahara.org/interaction/forum/topic.php?id=8150 https://reviews.mahara.org/#/c/8312 • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000141
https://notcve.org/view.php?id=CVE-2017-1000141
An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their password and/or send a warning to their primary email address. Se ha descubierto un problema en versiones anteriores a la 18.10.0 de Mahara. Manejaba de manera incorrecta las peticiones de los usuarios que podían interrumpir la capacidad de un usuario de mantener su propia cuenta (cambiar el nombre de usuario, cambiar la dirección de correo electrónico principal, eliminar la cuenta). • https://bugs.launchpad.net/mahara/+bug/1422492 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 4.4EPSS: 0%CPEs: 34EXPL: 1CVE-2017-1000157
https://notcve.org/view.php?id=CVE-2017-1000157
Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and 16.10 before 16.10.4 and 17.04 before 17.04.2 are vulnerable to recording plain text passwords in the event_log table during the user creation process if full event logging was turned on. Mahara, en versiones 15.04 anteriores a la 15.04.13, versiones 16.04 anteriores a la 16.04.7, versiones 16.10 anteriores a la 16.10.4 y versiones 17.04 anteriores a la 17.04.2 es vulnerable a que se guarden contraseñas en texto plano en la tabla event_log durante el proceso de creación de un usuario, si el registro de eventos completo estaba activado. • https://bugs.launchpad.net/mahara/+bug/1692749 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 42EXPL: 0CVE-2017-15273
https://notcve.org/view.php?id=CVE-2017-15273
Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as titles in internal artefacts. Mahara, en versiones 15.04 anteriores a la 15.04.15, versiones 16.04 anteriores a la 16.04.9, versiones 16.10 anteriores a la 16.10.6 y versiones 17.04 anteriores a la 17.04.4, es vulnerable a que un usuario envíe un payload potencialmente peligroso (como código XSS) para que se guarde como títulos en artefactos internos. • https://bugs.launchpad.net/mahara/+bug/1719472 https://bugs.launchpad.net/mahara/+bug/1719480 https://bugs.launchpad.net/mahara/+bug/1720034 https://mahara.org/interaction/forum/topic.php?id=8081 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 38EXPL: 0CVE-2017-14163
https://notcve.org/view.php?id=CVE-2017-14163
An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account. Se ha descubierto un problema en Mahara, en versiones anteriores a la 15.04.14, versiones 16.x anteriores a la 16.04.8, versiones 16.10.x anteriores a la 16.10.5 y versiones 17.x anteriores a la 17.04.3. Cuando un usuario cierra el navegador sin cerrar sesión en Mahara, no se elimina el valor en la tabla usr_session. • https://bugs.launchpad.net/mahara/+bug/1701978 • CWE-384: Session Fixation •