Vulnerability Details : CVE-2013-4429
Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly restrict access to artefacts, which allows remote authenticated users to read arbitrary artefacts via the (1) artefact id in an upload action when creating a journal or (2) instconf_artefactid_selected[ID] parameter in an upload action when editing a block.
Exploit prediction scoring system (EPSS) score for CVE-2013-4429
Probability of exploitation activity in the next 30 days: 0.19%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 55 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-4429
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2013-4429
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4429
-
https://mahara.org/interaction/forum/topic.php?id=5753
Security Announcements - Multiple Access Control Vulnerabilities in <1.5.12, <1.6.7, <1.7.3 - Mahara ePortfolio System
-
https://bugs.launchpad.net/mahara/+bug/1211758
Bug #1211758 “Arbitrary image download” : Bugs : Mahara
-
http://www.openwall.com/lists/oss-security/2013/10/15/1
oss-security - Re: CVE request: mahara 1.7.3
-
http://www.openwall.com/lists/oss-security/2013/10/08/3
oss-security - CVE request: mahara 1.7.3
-
http://www.openwall.com/lists/oss-security/2013/10/16/7
oss-security - Re: Re: CVE request: mahara 1.7.3
Products affected by CVE-2013-4429
- cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.7.0:-:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.7.:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.7.1:*:*:*:*:*:*:*