27 April 2022, 13:17

Group search page shows too many results when isolated institutions is turned on

Vulnerability type: Insecure permissions
Attack type: Remote
Impact: Information disclosure

Affected components: The group search, accessible via Main menu → Engage → Groups when isolated institutions is turned on for the site.

Attack vectors: If the site turned on isolated institutions and has more than 10 groups on the site, using the paginator on the 'Groups' page, someone can view the title of all groups on the site from page 2 of the results list onwards rather than only seeing groups in their own institution.

Description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using 'Isolated institutions' is vulnerable if groups are used. They are all shown from page 2 of the group results list rather than only showing groups for the institution in which the viewer is a member of.

Reported by: Can't disclose
Bug report: https://bugs.launchpad.net/mahara/+bug/1922226
CVE reference: 2022-29585