Filtered by vendor Mahara
Subscribe
Total
99 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1000140 | 1 Mahara | 1 Mahara | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .xml file that can have its code executed when user tries to download the file. | |||||
| CVE-2017-1000150 | 1 Mahara | 1 Mahara | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks. | |||||
| CVE-2017-1000143 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to users receiving watchlist notifications about pages they do not have access to anymore. | |||||
| CVE-2017-1000146 | 1 Mahara | 1 Mahara | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to the arbitrary execution of Javascript in the browser of a logged-in user because the title of the portfolio page was not being properly escaped in the AJAX script that updates the Add/remove watchlist link on artefact detail pages. | |||||
| CVE-2017-1000133 | 1 Mahara | 1 Mahara | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to a user - in some circumstances causing another user's artefacts to be included in a Leap2a export of their own pages. | |||||
| CVE-2017-1000131 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their Mahara account even when they have been logged out of Moodle (when using MNet) as Mahara did not properly implement one of the MNet SSO API functions. | |||||
| CVE-2017-1000145 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
| Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to anonymous comments being able to be placed on artefact detail pages even when the site administrator had disallowed anonymous comments. | |||||
| CVE-2017-1000151 | 1 Mahara | 1 Mahara | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before 16.04.3 are vulnerable to passwords or other sensitive information being passed by unusual parameters to end up in an error log. | |||||
| CVE-2017-1000137 | 1 Mahara | 1 Mahara | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when adding a text block to a page via the keyboard (rather than drag and drop). | |||||
| CVE-2017-1000155 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to profile pictures being accessed without any access control checks consequently allowing any of a user's uploaded profile pictures to be viewable by anyone, whether or not they were currently selected as the "default" or used in any pages. | |||||
| CVE-2017-1000147 | 1 Mahara | 1 Mahara | 2025-04-20 | 6.0 MEDIUM | 6.8 MEDIUM |
| Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could allow an attacker to trick a Mahara user into unknowingly uploading malicious files into their Mahara account. | |||||
| CVE-2017-1000171 | 1 Mahara | 1 Mahara Mobile | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to the Mahara access log in plain text. | |||||
| CVE-2017-9551 | 1 Mahara | 1 Mahara | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mahara 15.04 before 15.04.14 and 16.04 before 16.04.8 and 16.10 before 16.10.5 and 17.04 before 17.04.3 are vulnerable to a user submitting potential dangerous payload, e.g. XSS code, to be saved as their name in the usr_registration table. The values are then emailed to the the user and administrator and if accepted become part of the new user's account. | |||||
| CVE-2013-4432 | 1 Mahara | 1 Mahara | 2025-04-12 | 4.0 MEDIUM | N/A |
| Mahara before 1.5.13, 1.6.x before 1.6.8, and 1.7.x before 1.7.4 does not properly restrict access to folders, which allows remote authenticated users to read arbitrary folders (1) by leveraging an active folder tab loaded before permissions were removed or (2) via the folder parameter to artefact/file/groupfiles.php. | |||||
| CVE-2013-4431 | 1 Mahara | 1 Mahara | 2025-04-12 | 5.5 MEDIUM | N/A |
| Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly prevent access to blocks, which allows remote authenticated users to modify arbitrary blocks via the bock id in an edit request. | |||||
| CVE-2013-4429 | 1 Mahara | 1 Mahara | 2025-04-12 | 4.0 MEDIUM | N/A |
| Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly restrict access to artefacts, which allows remote authenticated users to read arbitrary artefacts via the (1) artefact id in an upload action when creating a journal or (2) instconf_artefactid_selected[ID] parameter in an upload action when editing a block. | |||||
| CVE-2013-4430 | 1 Mahara | 1 Mahara | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 allows remote attackers to inject arbitrary web script or HTML via the Host header to lib/web.php. | |||||
| CVE-2012-2351 | 2 Debian, Mahara | 2 Debian Linux, Mahara | 2025-04-11 | 5.0 MEDIUM | N/A |
| The default configuration of the auth/saml plugin in Mahara before 1.4.2 sets the "Match username attribute to Remote username" option to false, which allows remote SAML IdP servers to spoof users of other SAML IdP servers by using the same internal username. | |||||
| CVE-2011-1402 | 1 Mahara | 1 Mahara | 2025-04-11 | 6.5 MEDIUM | N/A |
| Mahara before 1.3.6 allows remote authenticated users to bypass intended access restrictions, and suspend a user account, edit a view, visit a view, edit a plan artefact, read a plans block, read a plan artefact, edit a blog, read a blog block, read a blog artefact, or access a block, via a request associated with (1) admin/users/search.json.php, (2) view/newviewtoken.json.php, (3) lib/mahara.php, (4) artefact/plans/tasks.json.php, (5) artefact/plans/viewtasks.json.php, (6) artefact/blog/view/index.json.php, (7) artefact/blog/posts.json.php, or (8) blocktype/myfriends/myfriends.json.php, related to incorrect privilege enforcement, a missing user id check, and incorrect enforcement of the Overriding Start/Stop Dates setting. | |||||
| CVE-2010-1668 | 1 Mahara | 1 Mahara | 2025-04-11 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||