Security issues were discovered in the passwordauth plugin's use of CGI::FormBuilder, involving API design issues similar to those that led to CVE-2014-1572. Impact:
* An attacker who can log in to a site with a password can log in
as a different and potentially more privileged user.
* An attacker who can create a new account can set arbitrary fields
in the user database for that account.
Sites that enable the CGI script (cgi_wrapper) and do not disable the simple password authentication plugin (passwordauth, enabled by default) are affected.
Created ikiwiki tracking bugs for this issue:
Affects: fedora-all [bug 1412702]
Affects: epel-6 [bug 1406696]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.