Mahara

  1. Bug #1930171
  2. Comment #3

Comment 3 for bug 1930171

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote (last edit ): Re: Strengthen the CSRF key to make it unguessable

Related to https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-29349 but is specifically looking at the random token generator

Vulnerability type: CSRF
Attack type: Physical?
Impact: Information disclosure, other

Affected components: Non-cryptographically random generated tokens are too easily guessable. They should be rendered in a cryptographical way. The current function to generate random keys is not random enough.

Suggested description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable.

Reported by: Catalyst IT
Bug report: https://bugs.launchpad.net/mahara/+bug/1930171
CVE reference: CVE-2022-28892 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28892