Vulnerabilities > Mahara > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-06 | CVE-2022-42707 | Unspecified vulnerability in Mahara In Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0, embedded images are accessible without a sufficient permission check under certain conditions. | 7.5 |
| 2022-06-20 | CVE-2022-33913 | Missing Authorization vulnerability in Mahara In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no permission check. | 7.5 |
| 2022-04-28 | CVE-2022-28892 | Cross-Site Request Forgery (CSRF) vulnerability in Mahara Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable. | 8.8 |
| 2021-11-03 | CVE-2021-40849 | Insufficient Session Expiration vulnerability in Mahara In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges. | 7.5 |
| 2017-11-03 | CVE-2017-1000154 | Improper Authentication vulnerability in Mahara Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to some authentication methods, which do not use Mahara's built-in login form, still allowing users to log in even if their institution was expired or suspended. | 7.5 |
| 2017-11-03 | CVE-2017-1000153 | Incorrect Permission Assignment for Critical Resource vulnerability in Mahara Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default email, Mahara fails to invalidate old link.Consequently the link in email can be used to gain access to the user's account. | 7.5 |
| 2017-11-03 | CVE-2017-1000152 | Unspecified vulnerability in Mahara Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 running PHP 5.3 are vulnerable to one user being logged in as another user on a separate computer as the same session ID is served. | 7.5 |
| 2010-07-06 | CVE-2010-1670 | Improper Authentication vulnerability in Mahara Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password. | 7.5 |
| 2010-07-06 | CVE-2010-1669 | SQL Injection vulnerability in Mahara SQL injection vulnerability in Mahara 1.1.x before 1.1.9 and 1.2.x before 1.2.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
| 2010-04-07 | CVE-2010-0400 | SQL Injection vulnerability in Mahara 1.0.4 SQL injection vulnerability in lib/user.php in mahara 1.0.4 allows remote attackers to execute arbitrary SQL commands via a username. | 7.5 |