Forums | Mahara Community

Security announcements /
XSS exploit and escalation of privileges in Mahara before 24.04.1, 23.04.6, and 22.10.6


This topic is closed. Only moderators and the group administrators can post new replies.
Kristina Hoeppner's profile picture
Posts: 4977

14 May 2024, 19:58

Kia ora Mahara community,

We have a security update available that fixes a potential cross-site scripting issue in Mahara before 24.04.1, 23.04.6, and 22.10.6.

CVE information

CVE-2024-35203

Vulnerability type: Cross site scripting (XSS)

Attack type: Local

Attack vector: Creating a file with a specific name structure can cause JavaScript execution on upload

Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara file browser system.

Credit: Mateusz Gierblinski

CVE-2024-39335

Suggested description: Supported versions of Mahara 24.04 before 24.04.1 and 23.04 before 23.04.6 are vulnerable to information being disclosed to an institution administrator under certain conditions via the 'Current submissions' page: Administration -> Groups -> Submissions.

Vulnerability Type: Insecure Permissions

Impact: Information Disclosure

Attack Vectors: Viewing the list of 'Current submissions' on Administration -> Groups -> Submissions page by institution administrators even when they are not the administrator of a person whose portfolio was archived.

Affected Component: The logic to build the SQL command to fetch the 'Current submissions' results is executed in incorrect order.

Credit: Kristina Hoeppner (Catalyst IT)

Get code update

Current subscribers can access the code updates and details on the issue that was fixed:

The changes are also available on the 'Releases' page as downloadable packages under the heading 'Mahara download files...' in each respective release. If you use the download files, make sure not to download a file called 'source code'. You want to download the files that have the compiled code. If you use a download package for Mahara 23.04.6, please make sure you select the correct one. There are different files for use on PHP 7.4 and PHP 8.1, and if you use Redis as session handler.

As subscriber, we recommend you update your instance of Mahara to the latest minor point release of the series of Mahara you are using, or if you are on an unsupported version of Mahara, upgrade to a supported one.

Mahara releases are available via a subscription.

Thank you

The Mahara team at Catalyst

Edits to this post:

1 result