Vulnerability Details : CVE-2013-4432
Mahara before 1.5.13, 1.6.x before 1.6.8, and 1.7.x before 1.7.4 does not properly restrict access to folders, which allows remote authenticated users to read arbitrary folders (1) by leveraging an active folder tab loaded before permissions were removed or (2) via the folder parameter to artefact/file/groupfiles.php.
Products affected by CVE-2013-4432
- cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.7.0:-:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.7.:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.7.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4432
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4432
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2013-4432
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4432
-
https://bugs.launchpad.net/mahara/+bug/1034180
Bug #1034180 “A group member with no access rights to folder can...” : Bugs : Mahara
-
https://mahara.org/interaction/forum/topic.php?id=5864
Security Announcements - Access Folder Artefact Vulnerabilities in <1.5.13, <1.6.8, <1.7.4 - Mahara ePortfolio System
-
http://www.openwall.com/lists/oss-security/2013/10/15/1
oss-security - Re: CVE request: mahara 1.7.3
-
http://www.openwall.com/lists/oss-security/2013/10/08/3
oss-security - CVE request: mahara 1.7.3
-
http://www.openwall.com/lists/oss-security/2013/10/16/7
oss-security - Re: Re: CVE request: mahara 1.7.3
Jump to