Forums > Security Announcements
Information disclosure in Mahara 1.1.4
21 June 2009, 11:01 PM
Mahara lets a user see an 'artefact' whenever that artefact has been placed within a 'view' to which the user has explicitly been granted access. While Mahara made some permission checks before presenting the user with a list of artefacts to include in a view, it did not apply these checks when saving the view.
Therefore, a user could gain access to another user's artefact without that other user's permission.
Edits to this post: