A vulnerability classified as problematic has been found in Mahara up to 17.04.7/17.10.4/18.04.0 (Content Management System). Affected is some unknown functionality. The manipulation with an unknown input leads to a information disclosure vulnerability (Username). CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. CVE summarizes:

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to mentioning the usernames that are already taken by people registered in the system rather than masking that information.

The bug was discovered 05/23/2018. The weakness was released 05/30/2018 (Website). The advisory is available at bugs.launchpad.net. This vulnerability is traded as CVE-2018-11565 since 05/30/2018. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 17.04.7, 17.10.5 or 18.04.1 eliminates this vulnerability.

Productinfo

Type

• Content Management System

Name

• Mahara

Version

• 17.04.0
• 17.04.1
• 17.04.2
• 17.04.3
• 17.04.4
• 17.04.5
• 17.04.6
• 17.04.7
• 17.10.0
• 17.10.1
• 17.10.2
• 17.10.3
• 17.10.4
• 18.04

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion