Mahara ≫ Mahara

Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7 search plugin. The Elasticsearch function does no...

In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution for which they are not an administrator, if they als...

Mahara before 24.04.9 exposes database connection information if the database becomes unreachable, e.g., due to the database server being temporarily down or too busy.

An issue was discovered in Mahara 23.04.8 and 24.04.4. Attackers may utilize escalation of privileges in certain cases when logging into Mahara with Learning Tools Interoperability (LTI).

In Mahara 23.04.8 and 24.04.4, the external RSS feed block can cause XSS if the external feed XML has a malicious value for the link attribute.

Supported versions of Mahara 24.04 before 24.04.1 and 23.04 before 23.04.6 are vulnerable to information being disclosed to an institution administrator under certain conditions via the 'Current submissions' page: Administration -> Groups -> Submissi...

Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara filebrowser system.

An issue was discovered in Mahara 23.04.8 and 24.04.4. The use of a malicious export download URL can allow an attacker to download files that they do not have permission to download.

Mahara before 22.10.4 and 23.x before 23.04.4 allows information disclosure if the experimental HTML bulk export is used via the administration interface or via the CLI, and the resulting export files are given to the account holders. They may contai...

An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up b...