Forums | Mahara Community

Security Announcements /
Able to see the name of another account holder’s folder in Mahara before 21.10.1, 21.04.3, and 20.10.4

This topic is closed. Only moderators and the group administrators can post new replies.
Doris ⚡'s profile picture
Posts: 84

09 February 2022, 17:23

Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected components: Folder names in the 'Files' area in Mahara.
Description: In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the 'Files' area could be seen by a person not owning the folders. Files and file names themselves were not affected and were not disclosed.
Reported by: Robert Lyon
Bug report: Launchpad 1952808
CVE reference: CVE-2022-24694

Edits to this post:

1 result