CVE-2017-1000148 - Code Injection vulnerability in Mahara

Publication

2017-11-03

Last modification

2017-11-13

Summary

Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to PHP code execution as Mahara would pass portions of the XML through the PHP "unserialize()" function when importing a skin from an XML file.

Classification

CWE-94 - Code Injection

Risk level (CVSS AV:N/AC:L/Au:S/C:P/I:P/A:P)

Medium

6.5

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products