13 September 2012, 20:53

XML External Entities Vulnerability in versions 1.4.3 and 1.5.2

Category:                     XML External Entities
Severity:                       Critical
Versions affected:       < 1.4.4, < 1.5.3
Reported by:               Mike Haworth
Identifier:                      CVE-2012-2239
Bug report:                  1047111

As part of a the Mahara Security Bug Bounty Program, a critical XML parsing vulnerability was discovered. The vulnerability has been fixed by the Mahara core developers.

Upgrading to Mahara 1.4.4 or 1.5.3 is strongly recommended for all sites running on a php version equal to or greater than 5.2.11.

Download links for fixed versions:

  https://launchpad.net/mahara/+milestone/1.4.4
  https://launchpad.net/mahara/+milestone/1.5.3