Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.
References
| Link | Resource |
|---|---|
| http://www.debian.org/security/2012/dsa-2591 | Mailing List |
| https://bugs.launchpad.net/mahara/+bug/1047111 | Issue Tracking Patch |
| https://mahara.org/interaction/forum/topic.php?id=4869 | Vendor Advisory |
Configurations
History
15 Feb 2024, 03:19
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Debian
Debian debian Linux |
|
| CVSS |
v2 : v3 : |
v2 : 6.4
v3 : 9.1 |
| References | () http://www.debian.org/security/2012/dsa-2591 - Mailing List | |
| References | () https://bugs.launchpad.net/mahara/+bug/1047111 - Issue Tracking, Patch | |
| CPE | cpe:2.3:a:mahara:mahara:1.5:rc2:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.4:rc1:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.4.3:*:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.4.0:*:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.5.1:*:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.4.2:*:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.5.2:*:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.4:rc3:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.5.0:*:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.1.5:*:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.5:rc1:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.1.4:*:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.4:rc4:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:1.4.1:*:*:*:*:*:*:* |
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:* |
| CWE | CWE-611 |
Information
Published : 2012-11-24 20:55
Updated : 2024-02-15 03:19
NVD link : CVE-2012-2239
Mitre link : CVE-2012-2239
CVE.ORG link : CVE-2012-2239
JSON object : View
Products Affected
debian
- debian_linux
mahara
- mahara
CWE
CWE-611
Improper Restriction of XML External Entity Reference