Vulnerabilities > Mahara
|2022-11-06||CVE-2022-42707|| Unspecified vulnerability in Mahara |
In Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0, embedded images are accessible without a sufficient permission check under certain conditions.
| 7.5 |
|2022-11-06||CVE-2022-44544|| Unspecified vulnerability in Mahara |
Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 potentially allow a PDF export to trigger a remote shell if the site is running on Ubuntu and the flag -dSAFER is not set with Ghostscript.
| 9.8 |
|2022-06-20||CVE-2022-33913|| Incorrect Authorization vulnerability in Mahara |
In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no permission check.
| 4.3 |
|2022-04-28||CVE-2022-28892|| Cross-Site Request Forgery (CSRF) vulnerability in Mahara |
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable.
| 8.8 |
|2022-04-28||CVE-2022-29584|| Cross-site Scripting vulnerability in Mahara |
| 3.5 |
|2022-04-28||CVE-2022-29585|| Incorrect Default Permissions vulnerability in Mahara |
In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used.
| 5.0 |
|2022-02-10||CVE-2022-24111|| Missing Authentication for Critical Function vulnerability in Mahara |
In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.
| 5.0 |
|2022-02-09||CVE-2022-24694|| Files or Directories Accessible to External Parties vulnerability in Mahara |
In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the Files area can be seen by a person not owning the folders.
| 4.0 |
|2021-11-03||CVE-2021-40848|| Improper Neutralization of Formula Elements in a CSV File vulnerability in Mahara |
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command, leading to execution of a malicious string locally on a device, aka CSV injection.
| 6.8 |
|2021-11-03||CVE-2021-40849|| Insufficient Session Expiration vulnerability in Mahara |
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.
| 7.5 |