CVE-2017-14163
HIGHMahara <15.04.14,16.x<16.04.8,16.10.x<16.10.5,17.x<17.04.3 - Info D...
Title source: llmDescription
An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account.
References (1)
Core 1
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/mahara/+bug/1701978
Scores
CVSS v3
8.8
EPSS
0.0092
EPSS Percentile
55.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-384
Status
published
Products (34)
mahara/mahara
15.04 rc1 (2 CPE variants)
mahara/mahara
15.04.0
mahara/mahara
15.04.1
mahara/mahara
15.04.2
mahara/mahara
15.04.3
mahara/mahara
15.04.4
mahara/mahara
15.04.5
mahara/mahara
15.04.6
mahara/mahara
15.04.7
mahara/mahara
15.04.8
... and 24 more
Published
Oct 31, 2017
Tracked Since
Feb 18, 2026