Aaron Wells

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 1.5.12 Mahara versions 1.6.x prior to 1.6.7 Mahara versions 1.7.x prior to 1.7.3 **Description** The issue allows remote authenticated users to read arbitrary artefacts. This can be achieved via the `artefact id` in an upload action when creating a journal or the `instconf artefactid selected[ID]` parameter in an upload action when editing a block. **Recommendations** For Mahara versions prior to 1.5.12, update to version 1.5.12 or later. For Mahara versions 1.6.x prior to 1.6.7, update to version 1.6.7 or later. For Mahara versions 1.7.x prior to 1.7.3, update to version 1.7.3 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 1.5.12 Mahara versions 1.6.x prior to 1.6.7 Mahara versions 1.7.x prior to 1.7.3 **Description** The issue allows remote authenticated users to modify arbitrary blocks via the block id in an edit request, due to improper access prevention to blocks. **Recommendations** For Mahara versions prior to 1.5.12, update to version 1.5.12 or later. For Mahara versions 1.6.x prior to 1.6.7, update to version 1.6.7 or later. For Mahara versions 1.7.x prior to 1.7.3, update to version 1.7.3 or later.