CVEs related to bugs in Mahara

Open bugs

There are no CVEs related to bugs open in Mahara.

Resolved bugs

Bug CVE(s)
Bug #491129: Smarty version in Mahara 1.0 and 1.1 has security vulnerabilities CVE-2008-4810
CVE-2008-4811
CVE-2009-1669
Mahara Fix released, assigned to Evan Goldenberg
Bug #534172: get_new_username() does not escape string used in SQL call CVE-2010-0400
Mahara Fix released, assigned to Evan Goldenberg
Bug #556369: SQL injection in username field CVE-2010-0400
Mahara Fix released (unassigned)
Bug #571505: XSS in HTML purifier 3.0.0 and 4.0.0 CVE-2010-2479
Mahara Fix released, assigned to Fran├žois Marier
Bug #594891: Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password CVE-2010-1670
Mahara Fix released, assigned to Richard Mansfield
Bug #669307: User content not escaped in groupviews blocktype CVE-2010-3871
Mahara Fix released, assigned to Richard Mansfield
Bug #676336: Blogs get deleted without sesskey check CVE-2011-0439
CVE-2011-0440
Mahara Fix released, assigned to Richard Mansfield
Bug #685942: Possible https to http downgrade CVE-2011-1406
Mahara Fix released, assigned to Ruslan Kabalin
Bug #710428: XSS in select box validation CVE-2011-0439
Mahara Fix released, assigned to Richard Mansfield
Bug #746182: Overriding start/stop dates not checked CVE-2011-1404
Mahara Fix released, assigned to Richard Mansfield
Bug #771592: Edit permission not checked in newviewtoken.json.php CVE-2011-1402
Mahara Fix released, assigned to Richard Mansfield
Bug #771598: Session key validation not working in pieforms CVE-2011-1403
Mahara Fix released, assigned to Richard Mansfield
Bug #771614: Check permissions and remove user suspension code from admin/users/search.json.php CVE-2011-1402
Mahara Fix released, assigned to Richard Mansfield
Bug #771623: Check edit permissions in tasks.json.php CVE-2011-1404
Mahara Fix released, assigned to Richard Mansfield
Bug #771637: Check view permissions in viewtasks.json.php CVE-2011-1404
Mahara Fix released, assigned to Richard Mansfield
Bug #771644: Check edit permissions in blog index.json.php CVE-2011-1404
Mahara Fix released, assigned to Richard Mansfield
Bug #771653: Check view permissions in blog posts.json.php CVE-2011-1404
Mahara Fix released, assigned to Richard Mansfield
Bug #772140: Information disclosure in my friends pagination script CVE-2011-1404
Mahara Fix released, assigned to Richard Mansfield
Bug #772160: Userlist element json script reveals user information CVE-2011-1404
Mahara Fix released, assigned to Richard Mansfield
Bug #772174: Group member search json script reveals user information CVE-2011-1404
Mahara Fix released, assigned to Richard Mansfield
Bug #772179: Ajax script for friend search pagination reveals user information CVE-2011-1404
Mahara Fix released, assigned to Richard Mansfield
Bug #772860: HTML emails not escaped CVE-2011-1405
Mahara Fix released, assigned to Richard Mansfield
Bug #784978: Potential DoS attack by running large images through GD CVE-2011-2772
Mahara Fix released, assigned to Richard Mansfield
Bug #798128: All private messages were accessible by wrong users CVE-2011-2774
Mahara Fix released, assigned to Ruslan Kabalin
Bug #798136: XSS in URI attributes in the externalfeed block CVE-2011-2771
Mahara Fix released, assigned to Melissa Draper
Bug #800032: Session key not checked in admin/users/addtoinstitution.php CVE-2011-2773
Mahara Fix released, assigned to Richard Mansfield
Bug #884223: Administrators masquerading as other users can jump to remote XMLRPC applications as that other user CVE-2011-4118
Mahara Fix released, assigned to Andrew Nicols
Bug #1009262: User passwords logged when LDAP misconfigured CVE-2010-5311
Mahara Fix released, assigned to Son Nguyen
Bug #1016253: Don't send plaintext RSS password back to browser CVE-2013-7410
CVE-2013-7411
Mahara Fix released, assigned to Son Nguyen
Bug #1034180: A group member with no access rights to folder can still view it (if smart :D) CVE-2013-4432
Mahara Fix released, assigned to Son Nguyen
Bug #1055232: XSS using user uploaded XHTML files CVE-2012-2243
Mahara Fix released, assigned to Hugh Davenport
Bug #1057238: Arbitrary Code Execution via pathtoclam config setting CVE-2012-2244
Mahara Fix released, assigned to Hugh Davenport
Bug #1057240: Click-Jacking attack on user account self-deletion page CVE-2012-2246
Mahara Fix released, assigned to Hugh Davenport
Bug #1061980: XSS using user uploaded SVG files CVE-2012-2247
Mahara Fix released, assigned to Hugh Davenport
Bug #1063480: Reflected XSS in user/group bulk CSV upload CVE-2012-2243
Mahara Fix released, assigned to Hugh Davenport
Bug #1084336: mnet: mahara doesn't implement kill_child which results in not being logged out when logged out from a remote IdP over mnet CVE-2017-1000131
Mahara Fix released, assigned to Aaron Wells
Bug #1103748: included flowplayer 3.2.7 is vulnerable CVE-2011-3642
Mahara Fix released, assigned to Aaron Wells
Bug #1153423: Stored XSS in TinyMCE editor CVE-2013-1426
Mahara Fix released, assigned to Hugh Davenport
Bug #1171714: RSS block contents randomly copied from one block to another CVE-2013-7412
Mahara Fix released, assigned to Aaron Wells
Bug #1172096: Require re-entering RSS feed password when you change the URL CVE-2013-7413
Mahara Fix released (unassigned)
Bug #1175446: user supplied $_SERVER['HTTP_HOST'] can be used for injections CVE-2013-4430
Mahara Fix released, assigned to Aaron Wells
Bug #1190788: Can cause arbitrary SWF files to execute in the browser CVE-2017-1000132
Mahara Fix released, assigned to Robert Lyon
Bug #1211758: Arbitrary image download CVE-2013-4429
Mahara Fix released, assigned to Robert Lyon
Bug #1233500: Not checking ownership of blocks before editing them CVE-2013-4431
Mahara Fix released, assigned to Son Nguyen
Bug #1234615: Not checking artefact permissions before exporting CVE-2017-1000133
Mahara Fix released (unassigned)
Bug #1266976: Update to HTMLPurifier 4.6.0 CVE-2013-7414
Mahara Fix released, assigned to Robert Lyon
Bug #1267686: Group member can't access their own group file CVE-2017-1000134
Mahara Fix released, assigned to Robert Lyon
Bug #1284876: Suspended users can log in via password reset email CVE-2014-8697
Mahara Fix released, assigned to Aaron Wells
Bug #1333096: Password reset key leaked via HTTP "Referer" field CVE-2014-8694
Mahara Fix released, assigned to Robert Lyon
Bug #1348024: users can stay logged into suspended institution CVE-2017-1000135
Mahara Fix released, assigned to Robert Lyon
Bug #1363873: Session Management Issue- Session is not invalidating after password change CVE-2017-1000136
Mahara Fix released, assigned to Robert Lyon
Bug #1373170: Description of a skin should be html escaped CVE-2014-8699
Mahara Fix released, assigned to Son Nguyen
Bug #1375092: XSS in page content editor CVE-2017-1000137
Mahara Fix released, assigned to Robert Lyon
Bug #1377736: XSS Vulnerability adding pages into a collection CVE-2017-1000138
Mahara Fix released, assigned to Son Nguyen
Bug #1381868: XSS with institution full name on user profile page CVE-2014-8698
Mahara Fix released, assigned to Yuliya Bozhko
Bug #1384009: Cookie lacking "secure" flag for HTTPS sites CVE-2014-8693
Mahara Fix released, assigned to Robert Lyon
Bug #1384481: Minor version number displayed in JS, CSS links CVE-2014-8692
Mahara Fix released, assigned to Aaron Wells
Bug #1385564: Secret URLs used on public computers leak access to later users of the same browser CVE-2014-8691
Mahara Fix released, assigned to Aaron Wells
Bug #1386010: Author not anonymised on "Shared with me" page and in "Latest pages" block CVE-2014-8696
Mahara Fix released, assigned to Robert Lyon
Bug #1387903: Should not be able to execute CLI scripts from the web CVE-2014-8695
Mahara Fix released, assigned to Aaron Wells
Bug #1394820: SSRF in external feed CVE-2014-9088
Mahara Fix released, assigned to Aaron Wells
Bug #1397736: Use SafeCURL in external RSS block CVE-2017-1000139
Mahara Won't fix, assigned to Aaron Wells
Bug #1404117: XSS via uploaded XML CVE-2017-1000140
Mahara Fix released, assigned to Son Nguyen
Bug #1422492: Mahara doesn't ask you for your password before changing your username CVE-2017-1000141
Mahara Fix released (unassigned)
Bug #1425306: Users can delete submitted page through URL CVE-2017-1000142
Mahara Fix released, assigned to Yuliya Bozhko
Bug #1429647: Watchlist lets you watch and receive notifications about pages you don't have view access to CVE-2017-1000143
Mahara Fix released (unassigned)
Bug #1447377: Stored XSS in user reports access lists, and shared tabs for user/group/institution CVE-2017-1000144
Mahara Fix released, assigned to Hugh Davenport
Bug #1460368: Even if you disallow anonymous comments at the site level, you can still place anonymous comments on artefacts CVE-2017-1000145
Mahara Fix released, assigned to Robert Lyon
Bug #1472439: XSS in "add to watchlist" link on artefact detail screen CVE-2017-1000146
Mahara Fix released, assigned to Aaron Wells
Bug #1480329: Session key is not checked during file upload CVE-2017-1000147
Mahara Fix released, assigned to Aaron Wells
Bug #1508684: Unserialize untrusted data when importing skins CVE-2017-1000148
Mahara Fix released (unassigned)
Bug #1558361: XSS vulnerability due to window.opener (target="_blank" and window.open()) CVE-2017-1000149
Mahara Fix released, assigned to Aaron Wells
Bug #1567784: Session ID's not being regenerated CVE-2017-1000150
Mahara Fix released (unassigned)
Bug #1570221: Don't print parameter values in logs, in productionmode CVE-2017-1000151
Mahara Fix released, assigned to Aaron Wells
Bug #1570744: Duplicate session headers not removed in PHP 5.3 CVE-2017-1000152
Mahara Fix released (unassigned)
Bug #1577251: Should invalidate password reset links when a user changes their primary email address CVE-2017-1000153
Mahara Fix released (unassigned)
Bug #1580399: Users can login to suspended institutions via external auth under some circumstances CVE-2017-1000154
Mahara Fix released (unassigned)
Bug #1600069: See other's profile images one is not meant to CVE-2017-1000155
Mahara Fix released, assigned to Robert Lyon
Bug #1609200: Non-admin role users can edit group settings CVE-2017-1000156
Mahara Fix released, assigned to Ghada El-Zoghbi
Bug #1652995: Phpmailer security update (v5.2.21) CVE-2016-10045
Mahara Fix released (unassigned)
Bug #1692749: User passwords being saved in database event_log as plain text CVE-2017-1000157
Mahara Fix released, assigned to Robert Lyon
Bug #1697308: Potential attack vector via registration form CVE-2017-9551
Mahara Fix released, assigned to Robert Lyon
Bug #1701978: Old cookies lingering allowing one to login without giving login details CVE-2017-14163
Mahara Fix released, assigned to Cecilia Vela Gurovic
Bug #1719491: Avoid saving firstname / lastname / preferredname that contains html tags CVE-2017-14752
Mahara Fix released, assigned to Robert Lyon
Bug #1732987: Fix user input from direct get post usage CVE-2017-17454
Mahara Fix released (unassigned)
Bug #1734767: Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https CVE-2017-17455
Mahara Fix released (unassigned)
Bug #1744789: Avoid relying on TinyMCE code stripping alone CVE-2018-6182
Mahara Fix released, assigned to Robert Lyon
Bug #1770535: Able to upload a virus file to Files section CVE-2018-11196
Mahara Fix released, assigned to Robert Lyon
Bug #1770561: Browser back and refresh button attack vulnerability CVE-2018-11195
Mahara Fix released (unassigned)
Bug #1772774: change error message when changing username CVE-2018-11565
Mahara Fix released, assigned to Cecilia Vela Gurovic
Bug #1817221: A site admin can access Mahara 'root' user and break the site CVE-2019-9708
Mahara Fix released, assigned to Robert Lyon
Bug #1819547: XSS in collection title when viewwing on matrix page CVE-2019-9709
Mahara Fix released, assigned to Robert Lyon