Vulnerabilities > Mahara > Critical

DATE CVE VULNERABILITY TITLE RISK
2022-11-06 CVE-2022-44544 Unspecified vulnerability in Mahara
Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 potentially allow a PDF export to trigger a remote shell if the site is running on Ubuntu and the flag -dSAFER is not set with Ghostscript.
network
low complexity
mahara
critical
 9.8
9.8
2021-11-03 CVE-2021-40849 Insufficient Session Expiration vulnerability in Mahara
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.
network
low complexity
mahara CWE-613
critical
 9.8
9.8
2017-11-03 CVE-2017-1000171 Information Exposure Through Log Files vulnerability in Mahara Mobile 1.2.0
Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to the Mahara access log in plain text.
network
low complexity
mahara CWE-532
critical
 9.8
9.8
2017-11-03 CVE-2017-1000154 Improper Authentication vulnerability in Mahara
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to some authentication methods, which do not use Mahara's built-in login form, still allowing users to log in even if their institution was expired or suspended.
network
low complexity
mahara CWE-287
critical
 9.8
9.8
2017-11-03 CVE-2017-1000153 Incorrect Permission Assignment for Critical Resource vulnerability in Mahara
Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default email, Mahara fails to invalidate old link.Consequently the link in email can be used to gain access to the user's account.
network
low complexity
mahara CWE-732
critical
 9.8
9.8
2017-11-03 CVE-2017-1000152 Unspecified vulnerability in Mahara
Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 running PHP 5.3 are vulnerable to one user being logged in as another user on a separate computer as the same session ID is served.
network
low complexity
mahara
critical
 9.8
9.8
2012-11-24 CVE-2012-2239 XXE vulnerability in multiple products
Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.
network
low complexity
mahara debian CWE-611
critical
 9.1
9.1