Forums | Mahara Community

Security Announcements /
Strengthen the random generated tokens in Mahara before 20.10.5, 21.04.4, and 21.10.2


This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 772

27 April 2022, 13:20

Related to CVE 2021-29349 but is specifically looking at the random token generator

Vulnerability type: CSRF
Attack type: Physical
Impact: Information disclosure, other

Affected components: Non-cryptographically random generated tokens are too easily guessable. They should be rendered in a cryptographical way. The current function to generate random keys is not random enough.

Suggested description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable.

Reported by: Catalyst IT
Bug report
CVE reference: CVE-2022-28892

Edits to this post:

1 result