Filtered by vendor Mahara
Subscriptions
Filtered by product Mahara
Subscriptions
Total
108 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45134 | 1 Mahara | 1 Mahara | 2025-09-08 | 9.8 Critical |
| Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 deserializes user input unsafely during skin import. A particularly structured XML file could cause code execution when being processed. | ||||
| CVE-2022-45133 | 1 Mahara | 1 Mahara | 2025-09-05 | 6.5 Medium |
| Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 allows unsafe font upload for skins. A particularly structured XML file could allow one to traverse the server to obtain access to secure files or cause code execution based on the payload. | ||||
| CVE-2023-47799 | 1 Mahara | 1 Mahara | 2025-09-05 | 7.5 High |
| Mahara before 22.10.4 and 23.x before 23.04.4 allows information disclosure if the experimental HTML bulk export is used via the administration interface or via the CLI, and the resulting export files are given to the account holders. They may contain images of other account holders because the cache is not cleared after the files of one account are exported. | ||||
| CVE-2024-39923 | 1 Mahara | 1 Mahara | 2025-09-05 | 6.1 Medium |
| An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person. | ||||
| CVE-2024-45753 | 1 Mahara | 1 Mahara | 2025-09-05 | 6.1 Medium |
| In Mahara 23.04.8 and 24.04.4, the external RSS feed block can cause XSS if the external feed XML has a malicious value for the link attribute. | ||||
| CVE-2024-47853 | 1 Mahara | 1 Mahara | 2025-09-05 | 8.8 High |
| An issue was discovered in Mahara 23.04.8 and 24.04.4. Attackers may utilize escalation of privileges in certain cases when logging into Mahara with Learning Tools Interoperability (LTI). | ||||
| CVE-2025-29992 | 1 Mahara | 1 Mahara | 2025-09-05 | 7.5 High |
| Mahara before 24.04.9 exposes database connection information if the database becomes unreachable, e.g., due to the database server being temporarily down or too busy. | ||||
| CVE-2024-39335 | 1 Mahara | 1 Mahara | 2025-09-05 | 9.1 Critical |
| Supported versions of Mahara 24.04 before 24.04.1 and 23.04 before 23.04.6 are vulnerable to information being disclosed to an institution administrator under certain conditions via the 'Current submissions' page: Administration -> Groups -> Submissions. | ||||
| CVE-2024-35203 | 1 Mahara | 1 Mahara | 2025-09-05 | 6.1 Medium |
| Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara filebrowser system. | ||||
| CVE-2024-47192 | 1 Mahara | 1 Mahara | 2025-09-05 | 5.3 Medium |
| An issue was discovered in Mahara 23.04.8 and 24.04.4. The use of a malicious export download URL can allow an attacker to download files that they do not have permission to download. | ||||
| CVE-2022-44544 | 2 Canonical, Mahara | 2 Ubuntu Linux, Mahara | 2025-05-02 | 9.8 Critical |
| Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 potentially allow a PDF export to trigger a remote shell if the site is running on Ubuntu and the flag -dSAFER is not set with Ghostscript. | ||||
| CVE-2022-42707 | 1 Mahara | 1 Mahara | 2025-05-02 | 7.5 High |
| In Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0, embedded images are accessible without a sufficient permission check under certain conditions. | ||||
| CVE-2017-1000138 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when dragging/dropping files into a collection if the file has Javascript code in its title. | ||||
| CVE-2017-1000135 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended. | ||||
| CVE-2017-1000133 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to a user - in some circumstances causing another user's artefacts to be included in a Leap2a export of their own pages. | ||||
| CVE-2017-1000139 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to server-side request forgery attacks as not all processes of curl redirects are checked against a white or black list. Employing SafeCurl will prevent issues. | ||||
| CVE-2017-1000143 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to users receiving watchlist notifications about pages they do not have access to anymore. | ||||
| CVE-2017-1000132 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .swf files that can have its code executed when a user tries to download the file. | ||||
| CVE-2017-1000146 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to the arbitrary execution of Javascript in the browser of a logged-in user because the title of the portfolio page was not being properly escaped in the AJAX script that updates the Add/remove watchlist link on artefact detail pages. | ||||
| CVE-2017-1000155 | 1 Mahara | 1 Mahara | 2025-04-20 | N/A |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to profile pictures being accessed without any access control checks consequently allowing any of a user's uploaded profile pictures to be viewable by anyone, whether or not they were currently selected as the "default" or used in any pages. | ||||