Forums | Mahara Community

Security Announcements /
Security issue relating to the Elasticsearch results and Isolated institutions <18.10.6, <19.04.5, <19.10.3

This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 710

30 April 2020, 12:26

Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected: Elasticsearch implementation in Mahara

In Mahara 19.04 before 19.04.4 and 19.10 before 19.10.2, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on.

Reference: Launchpad bug 1836984
Credit: Robert Lyon (Catalyst IT)
CVE: 2020-9387

Get the latest releases from our Git repository. You can also download them from Launchpad:

1 result