Mahara Community

Forums | Mahara Community

Security announcements /
Information disclosure in Mahara before 23.04.4 and 22.10.4

This topic is closed. Only moderators and the group administrators can post new replies.
Kristina Hoeppner's profile picture
Kristina Hoeppner
Posts: 4979

08 November 2023, 16:40

Kia ora Mahara community,

We have security updates available that fix an information disclosure issue that is also present in older unsupported versions of Mahara.

Current subscribers can access the code updates and details on the issue that was fixed:

Vulnerability type: Cross Site Scripting (XSS)

Attack type: Remote
Impact: Code execution

Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 are vulnerable to unsafe deserialization of user input in skin import. A particularly structured XML file could cause code execution when being processed. 

Reported by: Marlon Starkloff
Bug report for XSS
CVE reference: 2022-45134

Vulnerability type: Directory Traversal

Attack type: Remote
Impact: Incorrect access control / Code execution

Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 are vulnerable to unsafe font upload for skins. A particularly structured XML file could allow one to traverse the server to get access to secure files or cause code execution based on the payload. 

Reported by: Marlon Starkloff
Bug report for directory traversal
CVE reference: 2022-45133

Information disclosure

Attack type: Local
Impact: Information disclosure

Mahara before 22.10.4 and 23.x before 23.04.4 allows information disclosure if the experimental HTML bulk export is used via the administration interface or via the CLI, and the resulting export files are given to the account holders. They may contain images of other account holders because the cache is not cleared after the files of one account are exported.

Reported by: Francis Devine (Catalyst IT)
Bug report for HTML bulk export issue
CVE reference: CVE-2023-47799

If you prefer, the download packages are available via the 'Releases' page in the Subscriber Portal.

We recommend you update your instance of Mahara to the latest minor point release of the series of Mahara you are using, or if you are on an unsupported version of Mahara, upgrade to a supported one. Older unsupported versions of Mahara are vulnerable to this issue as well.

Mahara releases are available via a subscription. If you are on an unsupported version of Mahara, the extended security support can be purchased as an add-on.

Thank you

Kristina

Edits to this post:

1 result