Mahara ePortfolio System

Mahara Community

Forums > Security Announcements

Information disclosure in Mahara 1.1.4

This topic is closed. Only moderators and the group administrators can post new replies.
Posts: 411
21 June 2009, 11:01 PM

Category:Information disclosure
Severity:Major
Versions affected:< 1.1.5
Reported by:Mahara Team
Identifier: CVE-2009-2171

Mahara lets a user see an 'artefact' whenever that artefact has been placed within a 'view' to which the user has explicitly been granted access. While Mahara made some permission checks before presenting the user with a list of artefacts to include in a view, it did not  apply these checks when saving the view.

Therefore, a user could gain access to another user's artefact without that other user's permission.

Upgrading to Mahara 1.1.5 is strongly recommended for all sites currently using the Mahara 1.1 series.  The 1.0 series is not affected by this problem.

Edits to this post: