Aaron Wellson

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.8 through 1.8.6 Mahara versions 1.9 through 1.9.4 Mahara versions 1.10 through 1.10.2 Mahara versions 15.04 through 15.04.0 **Description** The issue allows maliciously created .swf files to have their code executed when a user attempts to download the file. **Recommendations** For Mahara versions 1.8 through 1.8.6, update to version 1.8.7 or later. For Mahara versions 1.9 through 1.9.4, update to version 1.9.5 or later. For Mahara versions 1.10 through 1.10.2, update to version 1.10.3 or later. For Mahara versions 15.04 through 15.04.0, update to a version later than 15.04.0.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 15.04 through 15.04.7 Mahara versions 15.10 through 15.10.3 Mahara versions 16.04 through 16.04.1 **Description** The issue allows a user, under certain circumstances, to include another user's artefacts in a Leap2a export of their own pages. **Recommendations** For Mahara versions 15.04 through 15.04.7, update to version 15.04.8 or later. For Mahara versions 15.10 through 15.10.3, update to version 15.10.4 or later. For Mahara versions 16.04 through 16.04.1, update to version 16.04.2 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.8 through 1.8.6 Mahara versions 1.9 through 1.9.4 Mahara versions 1.10 through 1.10.2 Mahara versions 15.04 before 15.04.0 **Description** The issue allows for server-side request forgery attacks because not all processes of curl redirects are checked against a white or black list. Employing SafeCurl can prevent issues. **Recommendations** For Mahara versions 1.8 through 1.8.6, update to version 1.8.7 or later. For Mahara versions 1.9 through 1.9.4, update to version 1.9.5 or later. For Mahara versions 1.10 through 1.10.2, update to version 1.10.3 or later. For Mahara versions 15.04 before 15.04.0, update to version 15.04.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.8 through 1.8.6 Mahara versions 1.9 through 1.9.4 Mahara versions 1.10 through 1.10.2 Mahara versions 15.04 before 15.04.0 **Description** The issue allows users to receive watchlist notifications about pages they no longer have access to. **Recommendations** For Mahara versions 1.8 through 1.8.6, update to version 1.8.7 or later. For Mahara versions 1.9 through 1.9.4, update to version 1.9.5 or later. For Mahara versions 1.10 through 1.10.2, update to version 1.10.3 or later. For Mahara versions 15.04 before 15.04.0, update to version 15.04.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.10 through 1.10.8 Mahara versions 15.04 through 15.04.5 Mahara versions 15.10 through 15.10.1 **Description** The issue is related to XSS due to the use of `window.opener` with `target=" blank"` and `window.open()`. **Recommendations** For Mahara versions 1.10 through 1.10.8, update to version 1.10.9. For Mahara versions 15.04 through 15.04.5, update to version 15.04.6. For Mahara versions 15.10 through 15.10.1, update to version 15.10.2.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 15.04 through 15.04.6 Mahara versions 15.10 through 15.10.2 **Description** The issue prevents session IDs from being regenerated on login or logout, making users more susceptible to session fixation attacks. **Recommendations** For Mahara versions 15.04 through 15.04.6, update to version 15.04.7 or later. For Mahara versions 15.10 through 15.10.2, update to version 15.10.3 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 15.04 through 15.04.8 Mahara versions 15.10 through 15.10.4 Mahara versions 16.04 through 16.04.2 **Description** The issue allows passwords or other sensitive information to be passed by unusual parameters, potentially ending up in an error log. **Recommendations** For Mahara versions 15.04 through 15.04.8, update to version 15.04.9 or later. For Mahara versions 15.10 through 15.10.4, update to version 15.10.5 or later. For Mahara versions 16.04 through 16.04.2, update to version 16.04.3 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 15.04 through 15.04.6 Mahara versions 15.10 through 15.10.2 **Description** The issue allows one user to be logged in as another user on a separate computer due to the same session ID being served. This can happen when a user takes an action that forces another user to be logged out of Mahara, such as an admin changing another user's account settings. **Recommendations** For Mahara versions 15.04 through 15.04.6, update to version 15.04.7 to resolve the issue. For Mahara versions 15.10 through 15.10.2, update to version 15.10.3 to resolve the issue.