14 May 2024, 19:58

Kia ora Mahara community,

We have a security update available that fixes a potential cross-site scripting issue in Mahara before 24.04.1, 23.04.6, and 22.10.6.

Current subscribers can access the code updates and details on the issue that was fixed:

• 24.04.1
• 23.04.6
• 22.10.6 - final release for Mahara 22.10

The changes are also available on the 'Releases' page as downloadable packages under the heading 'Mahara download files...' in each respective release. If you use the download files, make sure not to download a file called 'source code'. You want to download the files that have the compiled code. If you use a download package for Mahara 23.04.6, please make sure you select the correct one. There are different files for use on PHP 7.4 and PHP 8.1, and if you use Redis as session handler.

As subscriber, we recommend you update your instance of Mahara to the latest minor point release of the series of Mahara you are using, or if you are on an unsupported version of Mahara, upgrade to a supported one.

Mahara releases are available via a subscription.

Thank you

The Mahara team at Catalyst