Total
98 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1000146 | 1 Mahara | 1 Mahara | 2017-11-15 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to the arbitrary execution of Javascript in the browser of a logged-in user because the title of the portfolio page was not being properly escaped in the AJAX script that updates the Add/remove watchlist link on artefact detail pages. | |||||
| CVE-2017-1000144 | 1 Mahara | 1 Mahara | 2017-11-15 | 3.5 LOW | 4.8 MEDIUM |
| Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04.1 are vulnerable to a site admin or institution admin being able to place HTML and Javascript into an institution display name, which will be displayed to other users unescaped on some Mahara system pages. | |||||
| CVE-2017-1000143 | 1 Mahara | 1 Mahara | 2017-11-15 | 4.0 MEDIUM | 4.3 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to users receiving watchlist notifications about pages they do not have access to anymore. | |||||
| CVE-2017-1000140 | 1 Mahara | 1 Mahara | 2017-11-15 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .xml file that can have its code executed when user tries to download the file. | |||||
| CVE-2017-1000138 | 1 Mahara | 1 Mahara | 2017-11-15 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when dragging/dropping files into a collection if the file has Javascript code in its title. | |||||
| CVE-2017-1000137 | 1 Mahara | 1 Mahara | 2017-11-15 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when adding a text block to a page via the keyboard (rather than drag and drop). | |||||
| CVE-2017-1000139 | 1 Mahara | 1 Mahara | 2017-11-15 | 6.0 MEDIUM | 8.0 HIGH |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to server-side request forgery attacks as not all processes of curl redirects are checked against a white or black list. Employing SafeCurl will prevent issues. | |||||
| CVE-2017-1000136 | 1 Mahara | 1 Mahara | 2017-11-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change. | |||||
| CVE-2017-1000135 | 1 Mahara | 1 Mahara | 2017-11-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended. | |||||
| CVE-2017-1000132 | 1 Mahara | 1 Mahara | 2017-11-15 | 3.5 LOW | 4.8 MEDIUM |
| Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .swf files that can have its code executed when a user tries to download the file. | |||||
| CVE-2017-15273 | 1 Mahara | 1 Mahara | 2017-11-13 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as titles in internal artefacts. | |||||
| CVE-2017-14752 | 1 Mahara | 1 Mahara | 2017-11-13 | 3.5 LOW | 5.4 MEDIUM |
| Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as their first name, last name, or display name in the profile fields that can cause issues such as escalation of privileges or unknown execution of malicious code when replying to messages in Mahara. | |||||
| CVE-2017-1000150 | 1 Mahara | 1 Mahara | 2017-11-13 | 6.5 MEDIUM | 8.8 HIGH |
| Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks. | |||||
| CVE-2017-1000151 | 1 Mahara | 1 Mahara | 2017-11-13 | 5.0 MEDIUM | 7.5 HIGH |
| Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before 16.04.3 are vulnerable to passwords or other sensitive information being passed by unusual parameters to end up in an error log. | |||||
| CVE-2017-1000154 | 1 Mahara | 1 Mahara | 2017-11-13 | 7.5 HIGH | 9.8 CRITICAL |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to some authentication methods, which do not use Mahara's built-in login form, still allowing users to log in even if their institution was expired or suspended. | |||||
| CVE-2017-1000155 | 1 Mahara | 1 Mahara | 2017-11-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to profile pictures being accessed without any access control checks consequently allowing any of a user's uploaded profile pictures to be viewable by anyone, whether or not they were currently selected as the "default" or used in any pages. | |||||
| CVE-2017-1000157 | 1 Mahara | 1 Mahara | 2017-11-13 | 3.5 LOW | 4.4 MEDIUM |
| Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and 16.10 before 16.10.4 and 17.04 before 17.04.2 are vulnerable to recording plain text passwords in the event_log table during the user creation process if full event logging was turned on. | |||||
| CVE-2017-1000133 | 1 Mahara | 1 Mahara | 2017-11-13 | 5.0 MEDIUM | 7.5 HIGH |
| Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to a user - in some circumstances causing another user's artefacts to be included in a Leap2a export of their own pages. | |||||
| CVE-2017-9551 | 1 Mahara | 1 Mahara | 2017-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mahara 15.04 before 15.04.14 and 16.04 before 16.04.8 and 16.10 before 16.10.5 and 17.04 before 17.04.3 are vulnerable to a user submitting potential dangerous payload, e.g. XSS code, to be saved as their name in the usr_registration table. The values are then emailed to the the user and administrator and if accepted become part of the new user's account. | |||||
| CVE-2012-2246 | 1 Mahara | 1 Mahara | 2017-08-28 | 6.8 MEDIUM | N/A |
| Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to conduct clickjacking attacks to delete arbitrary users and bypass CSRF protection via account/delete.php. | |||||