Debian DSA-2246-1 Critical: Remote Threats in Mahara Software
debian
May 29, 2011
Several vulnerabilities were discovered in mahara, an electronic portfolio, weblog, and resume builder
Topics Covered
Summary
Several vulnerabilities were discovered in mahara, an electronic portfolio,
weblog, and resume builder. The following Common Vulnerabilities and
Exposures project ids identify them:
CVE-2011-1402
It was discovered that previous versions of Mahara did not check user
credentials before adding a secret URL to a view or suspending a user.
CVE-2011-1403
Due to a misconfiguration of the Pieform package in Mahara, the cross-site
request forgery protection mechanism that Mahara relies on to harden its
form was not working and was essentially disabled.
This is a critical vulnerability which could allow attackers to trick other
users (for example administrators) into performing malicious actions on
behalf of the attacker. Most Mahara forms are vulnerable.
CVE-2011-1404
Many of the JSON structures returned by Mahara for its AJAX interactions
included more information than what ought to be disclosed to the logged in
user. New versions of Mahara limit this information to what is necessary for
...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: mahara
CVE ID: CVE-2011-1402 CVE-2011-1403 CVE-2011-1404 CVE-2011-1405
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!