Forums | Mahara Community
Able to see the name of another account holder’s folder in Mahara before 21.10.1, 21.04.3, and 20.10.4
09 February 2022, 17:23
Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected components: Folder names in the 'Files' area in Mahara.
Description: In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the 'Files' area could be seen by a person not owning the folders. Files and file names themselves were not affected and were not disclosed.
Reported by: Robert Lyon
Bug report: Launchpad 1952808
CVE reference: CVE-2022-24694
Edits to this post:
- Doris ⚡ - 09 February 2022, 17:55