Filtered by vendor Mahara
Subscriptions
Total
99 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2012-2239 | 2 Debian, Mahara | 2 Debian Linux, Mahara | 2024-02-15 | 9.1 Critical |
| Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php. | ||||
| CVE-2022-33913 | 1 Mahara | 1 Mahara | 2023-08-08 | 7.5 High |
| In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no permission check. | ||||
| CVE-2022-28892 | 1 Mahara | 1 Mahara | 2023-01-30 | 8.8 High |
| Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable. | ||||
| CVE-2022-44544 | 2 Canonical, Mahara | 2 Ubuntu Linux, Mahara | 2022-11-10 | 9.8 Critical |
| Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 potentially allow a PDF export to trigger a remote shell if the site is running on Ubuntu and the flag -dSAFER is not set with Ghostscript. | ||||
| CVE-2022-42707 | 1 Mahara | 1 Mahara | 2022-11-08 | 7.5 High |
| In Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0, embedded images are accessible without a sufficient permission check under certain conditions. | ||||
| CVE-2020-9386 | 1 Mahara | 1 Mahara | 2022-10-07 | 4.3 Medium |
| In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to that artefact anymore. | ||||
| CVE-2009-2170 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0 before 1.0.12 and 1.1 before 1.1.5 allow remote attackers to inject arbitrary web script or HTML via unknown vectors. | ||||
| CVE-2009-2171 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| Mahara 1.1 before 1.1.5 does not apply permission checks when saving a view that contains artefacts, which allows remote authenticated users to read another user's artefact. | ||||
| CVE-2009-3298 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote authenticated institution administrators to reset a site administrator password via unspecified vectors. | ||||
| CVE-2009-3299 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| Cross-site scripting (XSS) vulnerability in the resume blocktype in Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2010-0400 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| SQL injection vulnerability in lib/user.php in mahara 1.0.4 allows remote attackers to execute arbitrary SQL commands via a username. | ||||
| CVE-2010-1670 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2012-2351 | 2 Debian, Mahara | 2 Debian Linux, Mahara | 2022-10-03 | N/A |
| The default configuration of the auth/saml plugin in Mahara before 1.4.2 sets the "Match username attribute to Remote username" option to false, which allows remote SAML IdP servers to spoof users of other SAML IdP servers by using the same internal username. | ||||
| CVE-2011-2773 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Mahara before 1.4.1 allows remote attackers to hijack the authentication of administrators for requests that add a user to an institution. | ||||
| CVE-2011-2771 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) URI attributes and (2) the External Feed component, as demonstrated by the guid element in an RSS feed. | ||||
| CVE-2011-2774 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| The "Reply to message" feature in Mahara 1.3.x and 1.4.x before 1.4.1 allows remote authenticated users to read the messages of a different user via a modified replyto parameter. | ||||
| CVE-2011-2772 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| The get_dataroot_image_path function in lib/file.php in Mahara before 1.4.1 does not properly validate uploaded image files, which allows remote attackers to cause a denial of service (memory consumption) via a (1) large or (2) invalid image. | ||||
| CVE-2011-4118 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| Mahara before 1.4.1, when MNet (aka the Moodle network feature) is used, allows remote authenticated users to gain privileges via a jump to an XMLRPC target. | ||||
| CVE-2008-0381 | 1 Mahara | 1 Mahara | 2022-10-03 | N/A |
| Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scripting (XSS) in uploaded files. | ||||
| CVE-2022-29585 | 1 Mahara | 1 Mahara | 2022-05-09 | 7.5 High |
| In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being shown for the institution that the viewer is a member of). | ||||