CVE-2017-1000147 - Cross-Site Request Forgery (CSRF) vulnerability in Mahara

Publication

2017-11-03

Last modification

2017-11-15

Summary

Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could allow an attacker to trick a Mahara user into unknowingly uploading malicious files into their Mahara account.

Classification

CWE-352 - Cross-Site Request Forgery (CSRF)

Risk level (CVSS AV:N/AC:M/Au:S/C:P/I:P/A:P)

Medium

6.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Mahara Mahara  1.9.0 , 1.9.5 , 1.9 , 1.9.6 , 1.10 , 1.10.0 , 15.04.0 , 15.04 , 15.04.1 , 1.10.3 , 1.9.7 , 1.10.2 , 15.04.2 , 1.9.2 , 1.9.4 , 1.10.1 , 1.9.1 , 1.9.3 , 1.10.4 , 1.10.5