Ruslan Kabalin

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.3.x through 1.4.0 **Description** The issue allows remote authenticated users to read the messages of a different user via a modified `replyto` parameter in the "Reply to message" feature. **Recommendations** For Mahara versions 1.3.x through 1.4.0, update to version 1.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 1.3.6 **Description** The issue arises from improper handling of an https URL in the wwwroot configuration setting. This makes it easier for remote attackers to obtain credentials by sniffing the network when an http URL is used for a login. **Recommendations** For versions prior to 1.3.6, update to version 1.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the login functionality over http to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 1.0.13 Mahara versions 1.1.x prior to 1.1.7 **Description** The issue allows remote authenticated institution administrators to reset a site administrator password. **Recommendations** For Mahara versions prior to 1.0.13, update to version 1.0.13 or later. For Mahara versions 1.1.x prior to 1.1.7, update to version 1.1.7 or later.