We have security updates available that fix an information disclosure issue that is also present in older unsupported versions of Mahara.
Current subscribers can access the code updates and details on the issue that was fixed:
If you prefer, the download packages are available via the 'Releases' page in the Subscriber Portal.
We recommend you update your instance of Mahara to the latest minor point release of the series of Mahara you are using, or if you are on an unsupported version of Mahara, upgrade to a supported one. Older unsupported versions of Mahara are vulnerable to this issue as well.
Mahara releases are available via a subscription. If you are on an unsupported version of Mahara, the extended security support can be purchased as an add-on.
Thank you
Kristina
]]>We recommend you install this security update on your site as quickly as possible.
Prevent embedded images from being accessed without correct permissions
Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 are vulnerable to embedded images being accessible without a sufficient permission check under certain conditions.
Reported by: Not disclosed
Bug report
CVE reference: CVE-2022-42707
Mahara 21.10, 22.04, and 22.10 are currently supported for security fixes. You can download the latest minor point versions 21.10.5, 22.04.3, and the first stable version of 22.10 respectively to receive the fix for this security issue.
Mahara 21.04 also received the security fixes as part of 21.04.7. This is the last security release for Mahara 21.04. We recommend you upgrade to a supported version of Mahara.
Older version of Mahara are not supported with security fixes any more. However, you can patch your site by backporting the changes. The earliest backports to 21.04 that we've made relate to the series of patches for bug 1991157. You can take them as starting point for your own backports if you are on an older version of Mahara and cannot upgrade directly. You can also get in touch with us to support you with that on a consultancy basis.
You can download the latest versions from Launchpad or check out the relevant branch from Git.
]]>Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 are vulnerable to the PDF export potentially triggering a remote shell if the site is running on Ubuntu and the flag -dSAFER is not set with ghostscript.
Reported by: Fergus Whyte (Catalyst IT)
Bug report
CVE reference: CVE-2022-44544
We recommend you install this security update on your site as quickly as possible.
Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Unsupported versions of Mahara 20.04 and 20.10, and support versions of Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2 are vulnerable to files being served by thumb.php without a permission check under certain conditions.
Reported by Gwenole T.
Bug report
CVE reference: CVE 2022-33913
Mahara 21.04, 21.10, and 22.04 are currently supported for security fixes. You can download the latest minor point versions 21.04.6, 21.10.4, and 22.04.2 respectively to receive the fix for this security issue.
Mahara 20.04 and 20.10 are not supported with security fixes any more. However, you can patch your site by backporting the fix to your instance, i.e. download the two changed files (or download a patch file) and merge them into your codebase. You may have to resolve merge conflicts, esp. if you changed anything in these files yourself.
You can download the latest versions from Launchpad or check out the relevant branch from Git.
]]>Vulnerability type: Insecure permissions
Attack type: Remote
Impact: Information disclosure
Affected components: The group search, accessible via Main menu → Engage → Groups when isolated institutions is turned on for the site.
Attack vectors: If the site turned on isolated institutions and has more than 10 groups on the site, using the paginator on the 'Groups' page, someone can view the title of all groups on the site from page 2 of the results list onwards rather than only seeing groups in their own institution.
Description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using 'Isolated institutions' is vulnerable if groups are used. They are all shown from page 2 of the group results list rather than only showing groups for the institution in which the viewer is a member of.
Reported by: Can't disclose
Bug report: https://bugs.launchpad.net/mahara/+bug/1922226
CVE reference: 2022-29585
Far reaching security vulnerabilities in the Spring framework used in many Java applications have been made public:
Mahara itself is a PHP application and thus not directly affected. The only component that required review is our implementation of Elasticsearch as that is a Java application. Our initial investigation did not reveal any immediate vulnerability. Our systems operations team is conducting a more thorough review. If that reveals any issues, we'll be in touch.
If you use Elasticsearch, you may wish to follow the security announcements from Elastic.
Thank you
Kristina
]]>
Vulnerability type: Code execution
Attack type: Local
Impact: Ability to gain privileges
Affected components: Exporting of collections with PDF export enabled
Attack vectors: If a person names a collection in a certain way then on exporting it can cause the name to be executed as a command.
Description: In Mahara before 20.10.4, 21.04.3, and 21.10.1, exporting collections via PDF export could cause code execution.
Reported by: Dominic Couture
Bug report: https://bugs.launchpad.net/mahara/+bug/1949527
CVE reference: 2021-43266
]]>
Affected components: The help icon for 'page help'
Attack vectors: If a person alters the path to the page help file they can traverse to find other .html files outside the site's webroot and potentially find sensitive information.
Description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, addjusting the path component for the page help file could cause seeing html files that you are not allowed to access.
Reported by: Dominic Couture
Bug report: https://bugs.launchpad.net/mahara/+bug/1944979
CVE reference: CVE-2021-43264
Vulnerability type: XSS
Attack type: Local
Impact: Code execution
Affected components: The adding or displaying of tags on pages or content
Attack vectors: If a person creates a tag in a certain way then shares the page with others then when they view the page the tag can cause code execution.
Description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, certain tag syntax could cause code execution.
Reported by: Dominic Couture
Bug report: https://bugs.launchpad.net/mahara/+bug/1944633
CVE reference: CVE-2021-43265
Affected components: Exporting of collections with PDF export enabled
Attack vectors: If a person names a collection in a certain way then on exporting it can cause the name to be executed as a command.
Description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting collections via PDF export could cause code execution.
Reported by: Dominic Couture
Bug report: https://bugs.launchpad.net/mahara/+bug/1942903
CVE reference: 2021-43266
PHPMailer Fixes CVE-2021-3603 that may permit untrusted code to be run from an address validator.
See more infomation at https://github.com/PHPMailer/PHPMailer/blob/v6.5.0/SECURITY.md
Affected components: Exported CSV files with personal data that are imported into a spreadsheet software
Attack vectors: If a person saves data (like their username) beginning with certain characters, e.g. = or + etc. then the data when added into a spreadsheet program will be interpreted as a command. This allows one to create a malicious string so that they can exploit spreadsheet vulnerabilities. Mahara itself is not vulnerable, but it can be the vector of transmission.
Description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command and execute a malicious string locally on a device.
Reported by: Saksham Anand (Catalyst IT)
Bug report: https://bugs.launchpad.net/mahara/+bug/1930471
CVE reference: CVE-2021-40848
SimpleSAMLPHP that relate to relying on out of date composer version 1:
All supported versions of Mahara now use SimpleSAMLPHP 1.19.0 that rely on composer 2.
Get the latest releases from our Git repository. You can also download them from Launchpad:
]]>PHPMailer fix insufficient output escaping bug in file attachment names.
Get the latest releases from our Git repository. You can also download them from Launchpad:
]]>
Vulnerability type: Cross-site scripting (XSS) / stored XSS
Attack type: Remote
Impact: Code execution
Affected components: The 'External media' block and anywhere you can enter HTML code, such as a text block, notes, journal entry, and forum post.
Suggested description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 are vulnerable to stored cross-site scripting when a particular CSS class for embedly is used and JavaScript code constructed to perform an action.
Reported by: Can't disclose
Bug report: https://bugs.launchpad.net/mahara/+bug/1968920
CVE reference: 2022-29584