Forums | Mahara Community
Security announcements
/
XSS exploit and escalation of privileges in Mahara before 24.04.1, 23.04.6, and 22.10.6
14 May 2024, 19:58
Kia ora Mahara community,
We have a security update available that fixes a potential cross-site scripting issue in Mahara before 24.04.1, 23.04.6, and 22.10.6.
CVE information
CVE-2024-35203
Vulnerability type: Cross site scripting (XSS)
Attack type: Local
Attack vector: Creating a file with a specific name structure can cause JavaScript execution on upload
Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara file browser system.
Credit: Mateusz Gierblinski
CVE-2024-39335
Suggested description: Supported versions of Mahara 24.04 before 24.04.1 and 23.04 before 23.04.6 are vulnerable to information being disclosed to an institution administrator under certain conditions via the 'Current submissions' page: Administration -> Groups -> Submissions.
Vulnerability Type: Insecure Permissions
Impact: Information Disclosure
Attack Vectors: Viewing the list of 'Current submissions' on Administration -> Groups -> Submissions page by institution administrators even when they are not the administrator of a person whose portfolio was archived.
Affected Component: The logic to build the SQL command to fetch the 'Current submissions' results is executed in incorrect order.
Credit: Kristina Hoeppner (Catalyst IT)
Get code update
Current subscribers can access the code updates and details on the issue that was fixed:
The changes are also available on the 'Releases' page as downloadable packages under the heading 'Mahara download files...' in each respective release. If you use the download files, make sure not to download a file called 'source code'. You want to download the files that have the compiled code. If you use a download package for Mahara 23.04.6, please make sure you select the correct one. There are different files for use on PHP 7.4 and PHP 8.1, and if you use Redis as session handler.
As subscriber, we recommend you update your instance of Mahara to the latest minor point release of the series of Mahara you are using, or if you are on an unsupported version of Mahara, upgrade to a supported one.
Mahara releases are available via a subscription.
Thank you
The Mahara team at Catalyst
Edits to this post:
-
Kristina Hoeppner - 24 August 2025, 12:45
-
Kristina Hoeppner - 24 August 2025, 13:36