Abdullah Hussam Gazi

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.9 through 1.9.7 Mahara versions 1.10 through 1.10.5 Mahara versions 15.04 through 15.04.2 **Description** The issue allows an attacker to perform a cross-site request forgery (CSRF) attack on the uploader contained in Mahara's filebrowser widget. This could enable an attacker to trick a Mahara user into unknowingly uploading malicious files into their Mahara account. **Recommendations** For Mahara versions 1.9 through 1.9.7, update to version 1.9.8 or later. For Mahara versions 1.10 through 1.10.5, update to version 1.10.6 or later. For Mahara versions 15.04 through 15.04.2, update to version 15.04.3 or later.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 3.2.2 **Description** The issue allows remote attackers to bypass the CSRF protection mechanism via an empty token. This is related to the HTML Quickform library used in Revive Adserver. **Recommendations** For versions prior to 3.2.2, update to version 3.2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 3.2.2 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved by uploading a file containing errors via the plugin upgrade form, which then injects the malicious script or HTML through the filename of the uploaded file. **Recommendations** For versions prior to 3.2.2, update to version 3.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin upgrade form to minimize the risk of exploitation.