Richard-Mansfield

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 1.3.6 **Description** The issue allows remote authenticated users to bypass intended access restrictions. This can lead to various unauthorized actions such as suspending a user account, editing or visiting a view, editing a plan artefact, reading plans or blog blocks and artefacts, or accessing a block. The actions can be performed via requests associated with several API endpoints, including "admin/users/search.json.php", "view/newviewtoken.json.php", "lib/mahara.php", "artefact/plans/tasks.json.php", "artefact/plans/viewtasks.json.php", "artefact/blog/view/index.json.php", "artefact/blog/posts.json.php", and "blocktype/myfriends/myfriends.json.php". The problem is related to incorrect privilege enforcement, a missing `user id` check, and incorrect enforcement of the Overriding Start/Stop Dates setting. **Recommendations** For Mahara versions prior to 1.3.6, update to version 1.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints until the update can be applied. Additionally, review and restrict user privileges to minimize the risk of exploitation.