Launchpad CVE tracker

CVE 2013-4432

Mahara before 1.5.13, 1.6.x before 1.6.8, and 1.7.x before 1.7.4 does not properly restrict access to folders, which allows remote authenticated users to read arbitrary folders (1) by leveraging an active folder tab loaded before permissions were removed or (2) via the folder parameter to artefact/file/groupfiles.php.

Related bugs and status

CVE-2013-4432 (Candidate) is related to these bugs:

Bug #1034180: A group member with no access rights to folder can still view it (if smart :D)

		In	Importance	Status
1034180	A group member with no access rights to folder can still view it (if smart :D)	Mahara	High	Fix Released
1034180	A group member with no access rights to folder can still view it (if smart :D)	Mahara 1.5	High	Fix Released
1034180	A group member with no access rights to folder can still view it (if smart :D)	Mahara 1.6	High	Fix Released
1034180	A group member with no access rights to folder can still view it (if smart :D)	Mahara 1.7	High	Fix Released
1034180	A group member with no access rights to folder can still view it (if smart :D)	mahara (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2013-4432

References