|
Bug #491129: Smarty version in Mahara 1.0 and 1.1 has security vulnerabilities
|
 CVE-2008-4810
CVE-2008-4811
CVE-2009-1669 |
|
Mahara
|
Fix released, assigned to Evan Goldenberg
|
|
Bug #534172: get_new_username() does not escape string used in SQL call
|
CVE-2010-0400 |
|
Mahara
|
Fix released, assigned to Evan Goldenberg
|
|
Bug #556369: SQL injection in username field
|
CVE-2010-0400 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #571505: XSS in HTML purifier 3.0.0 and 4.0.0
|
CVE-2010-2479 |
|
Mahara
|
Fix released, assigned to François Marier
|
|
Bug #594891: Adding internal authinstance as parent of xmlrpc allows login to existing accounts without a password
|
CVE-2010-1670 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #669307: User content not escaped in groupviews blocktype
|
CVE-2010-3871 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #676336: Blogs get deleted without sesskey check
|
CVE-2011-0439
CVE-2011-0440 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #685942: Possible https to http downgrade
|
CVE-2011-1406 |
|
Mahara
|
Fix released, assigned to Ruslan Kabalin
|
|
Bug #710428: XSS in select box validation
|
CVE-2011-0439 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #746182: Overriding start/stop dates not checked
|
CVE-2011-1404 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #771592: Edit permission not checked in newviewtoken.json.php
|
CVE-2011-1402 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #771598: Session key validation not working in pieforms
|
CVE-2011-1403 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #771614: Check permissions and remove user suspension code from admin/users/search.json.php
|
CVE-2011-1402 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #771623: Check edit permissions in tasks.json.php
|
CVE-2011-1404 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #771637: Check view permissions in viewtasks.json.php
|
CVE-2011-1404 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #771644: Check edit permissions in blog index.json.php
|
CVE-2011-1404 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #771653: Check view permissions in blog posts.json.php
|
CVE-2011-1404 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #772140: Information disclosure in my friends pagination script
|
CVE-2011-1404 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #772160: Userlist element json script reveals user information
|
CVE-2011-1404 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #772174: Group member search json script reveals user information
|
CVE-2011-1404 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #772179: Ajax script for friend search pagination reveals user information
|
CVE-2011-1404 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #772860: HTML emails not escaped
|
CVE-2011-1405 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #784978: Potential DoS attack by running large images through GD
|
CVE-2011-2772 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #798128: All private messages were accessible by wrong users
|
CVE-2011-2774 |
|
Mahara
|
Fix released, assigned to Ruslan Kabalin
|
|
Bug #798136: XSS in URI attributes in the externalfeed block
|
CVE-2011-2771 |
|
Mahara
|
Fix released, assigned to Melissa Draper
|
|
Bug #800032: Session key not checked in admin/users/addtoinstitution.php
|
CVE-2011-2773 |
|
Mahara
|
Fix released, assigned to Richard Mansfield
|
|
Bug #884223: Administrators masquerading as other users can jump to remote XMLRPC applications as that other user
|
CVE-2011-4118 |
|
Mahara
|
Fix released, assigned to Andrew Nicols
|
|
Bug #1009262: User passwords logged when LDAP misconfigured
|
CVE-2010-5311 |
|
Mahara
|
Fix released, assigned to Son Nguyen
|
|
Bug #1016253: Don't send plaintext RSS password back to browser
|
CVE-2013-7410
CVE-2013-7411 |
|
Mahara
|
Fix released, assigned to Son Nguyen
|
|
Bug #1034180: A group member with no access rights to folder can still view it (if smart :D)
|
CVE-2013-4432 |
|
Mahara
|
Fix released, assigned to Son Nguyen
|
|
Bug #1055232: XSS using user uploaded XHTML files
|
CVE-2012-2243 |
|
Mahara
|
Fix released, assigned to Hugh Davenport
|
|
Bug #1057238: Arbitrary Code Execution via pathtoclam config setting
|
CVE-2012-2244 |
|
Mahara
|
Fix released, assigned to Hugh Davenport
|
|
Bug #1057240: Click-Jacking attack on user account self-deletion page
|
CVE-2012-2246 |
|
Mahara
|
Fix released, assigned to Hugh Davenport
|
|
Bug #1061980: XSS using user uploaded SVG files
|
CVE-2012-2247 |
|
Mahara
|
Fix released, assigned to Hugh Davenport
|
|
Bug #1063480: Reflected XSS in user/group bulk CSV upload
|
CVE-2012-2243 |
|
Mahara
|
Fix released, assigned to Hugh Davenport
|
|
Bug #1084336: mnet: mahara doesn't implement kill_child which results in not being logged out when logged out from a remote IdP over mnet
|
CVE-2017-1000131 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1103748: included flowplayer 3.2.7 is vulnerable
|
CVE-2011-3642 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1153423: Stored XSS in TinyMCE editor
|
CVE-2013-1426 |
|
Mahara
|
Fix released, assigned to Hugh Davenport
|
|
Bug #1171714: RSS block contents randomly copied from one block to another
|
CVE-2013-7412 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1172096: Require re-entering RSS feed password when you change the URL
|
CVE-2013-7413 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1175446: user supplied $_SERVER['HTTP_HOST'] can be used for injections
|
CVE-2013-4430 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1190788: Can cause arbitrary SWF files to execute in the browser
|
CVE-2017-1000132 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1211758: Arbitrary image download
|
CVE-2013-4429 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1233500: Not checking ownership of blocks before editing them
|
CVE-2013-4431 |
|
Mahara
|
Fix released, assigned to Son Nguyen
|
|
Bug #1234615: Not checking artefact permissions before exporting
|
CVE-2017-1000133 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1266976: Update to HTMLPurifier 4.6.0
|
CVE-2013-7414 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1267686: Group member can't access their own group file
|
CVE-2017-1000134 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1284876: Suspended users can log in via password reset email
|
CVE-2014-8697 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1333096: Password reset key leaked via HTTP "Referer" field
|
CVE-2014-8694 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1348024: users can stay logged into suspended institution
|
CVE-2017-1000135 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1363873: Session Management Issue- Session is not invalidating after password change
|
CVE-2017-1000136 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1373170: Description of a skin should be html escaped
|
CVE-2014-8699 |
|
Mahara
|
Fix released, assigned to Son Nguyen
|
|
Bug #1375092: XSS in page content editor
|
CVE-2017-1000137 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1377736: XSS Vulnerability adding pages into a collection
|
CVE-2017-1000138 |
|
Mahara
|
Fix released, assigned to Son Nguyen
|
|
Bug #1381868: XSS with institution full name on user profile page
|
CVE-2014-8698 |
|
Mahara
|
Fix released, assigned to Yuliya Bozhko
|
|
Bug #1384009: Cookie lacking "secure" flag for HTTPS sites
|
CVE-2014-8693 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1384481: Minor version number displayed in JS, CSS links
|
CVE-2014-8692 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1385564: Secret URLs used on public computers leak access to later users of the same browser
|
CVE-2014-8691 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1386010: Author not anonymised on "Shared with me" page and in "Latest pages" block
|
CVE-2014-8696 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1387903: Should not be able to execute CLI scripts from the web
|
CVE-2014-8695 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1394820: SSRF in external feed
|
CVE-2014-9088 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1397736: Use SafeCURL in external RSS block
|
CVE-2017-1000139 |
|
Mahara
|
Won't fix, assigned to Aaron Wells
|
|
Bug #1404117: XSS via uploaded XML
|
CVE-2017-1000140 |
|
Mahara
|
Fix released, assigned to Son Nguyen
|
|
Bug #1422492: Mahara doesn't ask you for your password before changing your username
|
CVE-2017-1000141 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1425306: Users can delete submitted page through URL
|
CVE-2017-1000142 |
|
Mahara
|
Fix released, assigned to Yuliya Bozhko
|
|
Bug #1429647: Watchlist lets you watch and receive notifications about pages you don't have view access to
|
CVE-2017-1000143 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1447377: Stored XSS in user reports access lists, and shared tabs for user/group/institution
|
CVE-2017-1000144 |
|
Mahara
|
Fix released, assigned to Hugh Davenport
|
|
Bug #1460368: Even if you disallow anonymous comments at the site level, you can still place anonymous comments on artefacts
|
CVE-2017-1000145 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1472439: XSS in "add to watchlist" link on artefact detail screen
|
CVE-2017-1000146 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1480329: Session key is not checked during file upload
|
CVE-2017-1000147 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1508684: Unserialize untrusted data when importing skins
|
CVE-2017-1000148 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1558361: XSS vulnerability due to window.opener (target="_blank" and window.open())
|
CVE-2017-1000149 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1567784: Session ID's not being regenerated
|
CVE-2017-1000150 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1570221: Don't print parameter values in logs, in productionmode
|
CVE-2017-1000151 |
|
Mahara
|
Fix released, assigned to Aaron Wells
|
|
Bug #1570744: Duplicate session headers not removed in PHP 5.3
|
CVE-2017-1000152 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1577251: Should invalidate password reset links when a user changes their primary email address
|
CVE-2017-1000153 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1580399: Users can login to suspended institutions via external auth under some circumstances
|
CVE-2017-1000154 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1600069: See other's profile images one is not meant to
|
CVE-2017-1000155 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1609200: Non-admin role users can edit group settings
|
CVE-2017-1000156 |
|
Mahara
|
Fix released, assigned to Ghada El-Zoghbi
|
|
Bug #1652995: Phpmailer security update (v5.2.21)
|
CVE-2016-10045 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1692749: User passwords being saved in database event_log as plain text
|
CVE-2017-1000157 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1697308: Potential attack vector via registration form
|
CVE-2017-9551 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1701978: Old cookies lingering allowing one to login without giving login details
|
CVE-2017-14163 |
|
Mahara
|
Fix released, assigned to Cecilia Vela Gurovic
|
|
Bug #1719491: Avoid saving firstname / lastname / preferredname that contains html tags
|
CVE-2017-14752 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1732987: Fix user input from direct get post usage
|
CVE-2017-17454 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1734767: Mahara needing the HTTP Strict Transport Security (HSTS) header when site is https
|
CVE-2017-17455 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1744789: Avoid relying on TinyMCE code stripping alone
|
CVE-2018-6182 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1770535: Able to upload a virus file to Files section
|
CVE-2018-11196 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1770561: Browser back and refresh button attack vulnerability
|
CVE-2018-11195 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1772774: change error message when changing username
|
CVE-2018-11565 |
|
Mahara
|
Fix released, assigned to Cecilia Vela Gurovic
|
|
Bug #1817221: A site admin can access Mahara 'root' user and break the site
|
CVE-2019-9708 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1819547: XSS in collection title when viewwing on matrix page
|
CVE-2019-9709 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1840201: Elastic search: Search results are not restricted for aretfacts on pages shared with group
|
CVE-2020-9386 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1851418: Security upgrade simplesamlphp to 1.17.7
|
CVE-2019-3465 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1863043: Don't display personal information beyond what is necessary in "Edit access" Ajax response
|
CVE-2020-9282 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1922226: Group search list shows too many results from page 2 onwards
|
CVE-2022-29585 |
|
Mahara
|
Fix released, assigned to Gold
|
|
Bug #1930171: Strengthen the non-cryptographically random generated tokens
|
CVE-2022-28892 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1930469: Need to kill web service authentication session at end of process
|
CVE-2021-40849 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1930471: Exporting of CSV files needs to sanitize data
|
CVE-2021-40848 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1942903: Command injection vulnerability when PDF bulk export is enabled
|
CVE-2021-43266 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1944633: Stored cross site scripting in all "tags" input
|
CVE-2021-43265 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1944979: Path traversal leads to unauthenticated HTML file disclosure
|
CVE-2021-43264 |
|
Mahara
|
Fix released (unassigned)
|
|
Bug #1949527: Avoid command injection when PDF bulk export is enabled
|
CVE-2021-43266 |
|
Mahara
|
Fix released, assigned to Robert Lyon
|
|
Bug #1959146: Private group, site, or institution portfolios can be accessed by the URL without logging in
|
CVE-2022-24111 |
|
Mahara
|
Fix released, assigned to Doris Tam
|
|
Bug #1968920: XSS exploit in 'External media' block
|
CVE-2022-29584 |
|
Mahara
|
Fix released, assigned to Gold
|
|
Bug #1991157: Certain embedded images can be accessed without login
|
CVE-2022-42707 |
|
Mahara
|
Fix released, assigned to Gold
|
|
Bug #2003988: glob-parent vulnerability
|
CVE-2020-28469 |
|
Mahara
|
Fix released (unassigned)
|
