CVE-2017-1000152

critical

Published 2017-11-03 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 running PHP 5.3 are vulnerable to one user being logged in as another user on a separate computer as the same session ID is served. This situation can occur when a user takes an action that forces another user to be logged out of Mahara, such as an admin changing another user's account settings.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://bugs.launchpad.net/mahara/+bug/1570744

Application impact

Vendor	Product	Versions
mahara	mahara	`15.04`
mahara	mahara	`15.04.0`
mahara	mahara	`15.04.1`
mahara	mahara	`15.04.2`
mahara	mahara	`15.04.3`
mahara	mahara	`15.04.4`
mahara	mahara	`15.04.5`
mahara	mahara	`15.04.6`
mahara	mahara	`15.10.0`
mahara	mahara	`15.10.1`
mahara	mahara	`15.10.2`

References

Verify integrity in audit chain (admin only). AS-IS.