CVE-2011-1404

2011-05-1300:00:00

ubuntu.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

EPSS

0.002

Percentile

61.1%

JSON

Mahara before 1.3.6 does not properly restrict the data in responses to
AJAX calls, which allows remote authenticated users to obtain sensitive
information via a request associated with (1)
blocktype/myfriends/myfriends.json.php, (2) json/usersearch.php, (3)
group/membersearchresults.json.php, or (4) json/friendsearch.php, as
demonstrated by information about friends and e-mail addresses.

Bugs

<https://bugs.launchpad.net/ubuntu/+source/mahara/+bug/780917>

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchmahara< 1.2.4-1ubuntu0.3UNKNOWN
ubuntu10.10noarchmahara< 1.2.5-2ubuntu0.2UNKNOWN
ubuntu11.04noarchmahara< 1.2.7-1ubuntu0.1UNKNOWN