Total
98 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-9282 | 1 Mahara | 1 Mahara | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, certain personal information is discoverable inspecting network responses on the 'Edit access' screen when sharing portfolios. | |||||
| CVE-2019-9708 | 1 Mahara | 1 Mahara | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can suspend the system user (root), causing all users to be locked out from the system. | |||||
| CVE-2019-9709 | 1 Mahara | 1 Mahara | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection's SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user. | |||||
| CVE-2018-6182 | 1 Mahara | 1 Mahara | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed by POST packages. Therefore, Mahara should not rely on TinyMCE's code stripping alone but also clean input on the server / PHP side as one can create own packets of POST data containing bad content with which to hit the server. | |||||
| CVE-2018-11565 | 1 Mahara | 1 Mahara | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to mentioning the usernames that are already taken by people registered in the system rather than masking that information. | |||||
| CVE-2017-17454 | 1 Mahara | 1 Mahara | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value. | |||||
| CVE-2017-1000141 | 1 Mahara | 1 Mahara | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their password and/or send a warning to their primary email address. | |||||
| CVE-2017-17455 | 1 Mahara | 1 Mahara | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
| Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middle attack, to interact with Mahara on the HTTP protocol rather than HTTPS even when an SSL certificate is present. | |||||
| CVE-2018-11196 | 1 Mahara | 1 Mahara | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
| Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 can be used as medium to transmit viruses by placing infected files into a Leap2A archive and uploading that to Mahara. In contrast to other ZIP files that are uploaded, ClamAV (when activated) does not check Leap2A archives for viruses, allowing malicious files to be available for download. While files cannot be executed on Mahara itself, Mahara can be used to transfer such files to user computers. | |||||
| CVE-2018-11195 | 1 Mahara | 1 Mahara | 2023-12-10 | 2.1 LOW | 6.8 MEDIUM |
| Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to the browser "back and refresh" attack. This allows malicious users with physical access to the web browser of a Mahara user, after they have logged in, to potentially gain access to their Mahara credentials. | |||||
| CVE-2017-1000138 | 1 Mahara | 1 Mahara | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when dragging/dropping files into a collection if the file has Javascript code in its title. | |||||
| CVE-2017-1000136 | 1 Mahara | 1 Mahara | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change. | |||||
| CVE-2017-1000148 | 1 Mahara | 1 Mahara | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to PHP code execution as Mahara would pass portions of the XML through the PHP "unserialize()" function when importing a skin from an XML file. | |||||
| CVE-2017-1000137 | 1 Mahara | 1 Mahara | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when adding a text block to a page via the keyboard (rather than drag and drop). | |||||
| CVE-2017-14163 | 1 Mahara | 1 Mahara | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one closes the browser without logging out of Mahara, the value in the usr_session table is not removed. If someone were to open a browser, visit the Mahara site, and adjust the 'mahara' cookie to the old value, they can get access to the user's account. | |||||
| CVE-2017-1000132 | 1 Mahara | 1 Mahara | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .swf files that can have its code executed when a user tries to download the file. | |||||
| CVE-2017-15273 | 1 Mahara | 1 Mahara | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as titles in internal artefacts. | |||||
| CVE-2017-1000150 | 1 Mahara | 1 Mahara | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
| Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks. | |||||
| CVE-2017-1000140 | 1 Mahara | 1 Mahara | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .xml file that can have its code executed when user tries to download the file. | |||||
| CVE-2017-1000139 | 1 Mahara | 1 Mahara | 2023-12-10 | 6.0 MEDIUM | 8.0 HIGH |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to server-side request forgery attacks as not all processes of curl redirects are checked against a white or black list. Employing SafeCurl will prevent issues. | |||||