Group search page shows too many results when isolated institutions is turned on
Vulnerability type: Insecure permissions
Attack type: Remote
Impact: Information disclosure
Affected components: The group search, accessible via Main menu → Engage → Groups when isolated institutions is turned on for the site.
Attack vectors: If the site turned on isolated institutions and has more than 10 groups on the site, using the paginator on the 'Groups' page, someone can view the title of all groups on the site from page 2 of the results list onwards rather than only seeing groups in their own institution.
Description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using 'Isolated institutions' is vulnerable if groups are used. They are all shown from page 2 of the group results list rather than only showing groups for the institution in which the viewer is a member of.
For the forum post in the security forum:
Group search page shows too many results when isolated institutions is turned on
Vulnerability type: Insecure permissions
Attack type: Remote
Impact: Information disclosure
Affected components: The group search, accessible via Main menu → Engage → Groups when isolated institutions is turned on for the site.
Attack vectors: If the site turned on isolated institutions and has more than 10 groups on the site, using the paginator on the 'Groups' page, someone can view the title of all groups on the site from page 2 of the results list onwards rather than only seeing groups in their own institution.
Description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using 'Isolated institutions' is vulnerable if groups are used. They are all shown from page 2 of the group results list rather than only showing groups for the institution in which the viewer is a member of.
Reported by: Can't disclose /bugs.launchpad .net/mahara/ +bug/1922226 /cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2022- 29585
Bug report: https:/
CVE reference: https:/