CVE-2017-1000136 | Vulnerability Database | Aqua Security

NVD

https://nvd.nist.gov/vuln/detail/CVE-2017-1000136

CWE

https://cwe.mitre.org/data/definitions/613.html

Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change.

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Name	Vendor	Start Version	End Version
Mahara	Mahara	1.8-rc1 (including)	1.8-rc1 (including)
Mahara	Mahara	1.8-rc2 (including)	1.8-rc2 (including)
Mahara	Mahara	1.8.0 (including)	1.8.0 (including)
Mahara	Mahara	1.8.1 (including)	1.8.1 (including)
Mahara	Mahara	1.8.2 (including)	1.8.2 (including)
Mahara	Mahara	1.8.3 (including)	1.8.3 (including)
Mahara	Mahara	1.8.4 (including)	1.8.4 (including)
Mahara	Mahara	1.8.5 (including)	1.8.5 (including)

Potential Mitigations

References

https://bugs.launchpad.net/mahara/+bug/1363873