Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended.
According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mahara | Mahara | 1.8-rc1 (including) | 1.8-rc1 (including) |
| Mahara | Mahara | 1.8-rc2 (including) | 1.8-rc2 (including) |
| Mahara | Mahara | 1.8.0 (including) | 1.8.0 (including) |
| Mahara | Mahara | 1.8.1 (including) | 1.8.1 (including) |
| Mahara | Mahara | 1.8.2 (including) | 1.8.2 (including) |
| Mahara | Mahara | 1.8.3 (including) | 1.8.3 (including) |
| Mahara | Mahara | 1.8.4 (including) | 1.8.4 (including) |
| Mahara | Mahara | 1.8.5 (including) | 1.8.5 (including) |
| Mahara | Mahara | 1.8.6 (including) | 1.8.6 (including) |