Using Mahara, students and staff create their personal learning stories by uploading evidence of activities they have participated in, and embedding publicly accessible content they have previously put online. They can write reflections on their experiences that frame this evidence, map it to competencies or registration requirements, and provide necessary context.
Mahara can be used for many different portfolio purposes, such as study, professional development, work-integrated learning, assessment, showcase and presentation, and employability.
Mahara allows portfolios to be shared flexibly with one person, a specific group of people, or the entire world. Access can be further restricted to a particular time frame or just within an assessment task.
Mahara makes it easy to comment and give feedback. Portfolios can also be submitted to learning management systems via LTI (Learning Tools Interoperability) for marking.
Groups in Mahara allow people to create portfolios collaboratively and engage in forum discussions.
In our podcast 'Create. Share. Engage.' portfolio practitioners, researchers, learning designers, and portfolio authors share their journey. Learn how they navigate the many different facets of portfolios in general, and Mahara specifically.
Mahara is open source. Install it on your own server infrastructure or engage a support company to have your site maintained professionally and receive support around your portfolio project.
You can join the Mahara community to ask your questions about the software and answer other people's questions. There are many ways of contributing to the Mahara project, for example, through translations, graphic design, business analysis and usability, reporting and fixing issues, creating new features, and developing plugins.
Vulnerability type: Insecure permissions
Attack type: Remote
Impact: Information disclosure, escalation of privileges
Affected components: A token-based web service authenticates the owner of the token so that functions called by the web service can only be executed if the authenticated token owner can run those functions. However, the session of this token is not ended when the web service call throws an error. This means if you try to access a site with a crafted URL containing a valid token but no web service function, there will be an error message page, and if you then go to the homepage of the site, you will be logged in as the token owner.
Description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure at minimum and often escalation of privileges.
Reported by: Catalyst IT
Bug report: https://bugs.launchpad.net/mahara/+bug/1930469
CVE reference: CVE-2021-40849