An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-31T18:00:00

Updated: 2024-08-05T19:20:41.466Z

Reserved: 2017-09-06T00:00:00

Link: CVE-2017-14163

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2017-10-31T18:29:00.250

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-14163

cve-icon Redhat

No data.