CVE-2017-14163

An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
VendorProductVersion
maharamahara
15.04:rc1
maharamahara
15.04:rc2
maharamahara
15.04.0
maharamahara
15.04.1
maharamahara
15.04.2
maharamahara
15.04.3
maharamahara
15.04.4
maharamahara
15.04.5
maharamahara
15.04.6
maharamahara
15.04.7
maharamahara
15.04.8
maharamahara
15.04.9
maharamahara
15.04.10
maharamahara
15.04.11
maharamahara
15.04.12
maharamahara
15.04.13
maharamahara
16.04:rc1
maharamahara
16.04:rc2
maharamahara
16.04.0
maharamahara
16.04.1
maharamahara
16.04.2
maharamahara
16.04.3
maharamahara
16.04.4
maharamahara
16.04.5
maharamahara
16.04.6
maharamahara
16.04.7
maharamahara
16.10:rc1
maharamahara
16.10:rc2
maharamahara
16.10.0
maharamahara
16.10.1
maharamahara
16.10.2
maharamahara
16.10.3
maharamahara
16.10.4
maharamahara
17.04:rc1
maharamahara
17.04:rc2
maharamahara
17.04.0
maharamahara
17.04.1
maharamahara
17.04.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugs.launchpad.net/mahara/+bug/1701978
https://bugs.launchpad.net/mahara/+bug/1701978