CVE-2017-1000153

CRITICAL Year: 2017
CVSS v3 Score
9.8
Critical
CVSS v2 Score
7.5
High
Weakness Type
CWE-732
View all →

Vulnerability Description

Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default email, Mahara fails to invalidate old link.Consequently the link in email can be used to gain access to the user's account.

Related Vulnerabilities

CVE-2011-3923

CRITICAL
CVSS:9.8(Critical)

Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.

CWE-7322011

CVE-2012-2087

CRITICAL
CVSS:9.8(Critical)

ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface.

CWE-7322012

CVE-2017-12816

CRITICAL
CVSS:9.8(Critical)

In Kaspersky Internet Security for Android 11.12.4.1622, some of application exports activities have weak permissions, which might be used by a malware application to get unauthorized access to the pr...

CWE-7322017

CVE-2017-15877

CRITICAL
CVSS:9.8(Critical)

Insecure Permissions vulnerability in db.php file in GPWeb 8.4.61 allows remote attackers to view the password and user database.

CWE-7322017

CVE-2017-16638

CRITICAL
CVSS:9.8(Critical)

The Gentoo net-misc/vde package before version 2.3.2-r4 may allow members of the "qemu" group to gain root privileges by creating a hard link in a directory on which "chown" is called recursively by t...

CWE-7322017

CVE-2017-16885

CRITICAL
CVSS:9.8(Critical)

Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R05C01S38 devices (intended for obtaining information about Internet Usage, Changing Passwords, etc.) allows remote attackers to lo...

CWE-7322017