Forums | Mahara Community

Security Announcements /
Private group, site, or institution portfolios can be accessed by the URL without logging in by going to the URL in Mahara before 21.10.1 and 21.04.3


This topic is closed. Only moderators and the group administrators can post new replies.
Doris ⚡'s profile picture
Posts: 97

09 February 2022, 17:26

Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected components: Portfolios created in groups, on the institution, and the site level that have not been shared.
Description: In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.
Reported by: Doris Tam
Bug report: Launchpad 1959146
CVE reference: CVE-2022-24111

1 result