CVE-2011-1402

Name of the Vulnerable Software and Affected Versions Mahara versions prior to 1.3.6

Description The issue allows remote authenticated users to bypass intended access restrictions. This can lead to various unauthorized actions such as suspending a user account, editing or visiting a view, editing a plan artefact, reading plans or blog blocks and artefacts, or accessing a block. The actions can be performed via requests associated with several API endpoints, including "admin/users/search.json.php", "view/newviewtoken.json.php", "lib/mahara.php", "artefact/plans/tasks.json.php", "artefact/plans/viewtasks.json.php", "artefact/blog/view/index.json.php", "artefact/blog/posts.json.php", and "blocktype/myfriends/myfriends.json.php". The problem is related to incorrect privilege enforcement, a missing user id check, and incorrect enforcement of the Overriding Start/Stop Dates setting.

Recommendations For Mahara versions prior to 1.3.6, update to version 1.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints until the update can be applied. Additionally, review and restrict user privileges to minimize the risk of exploitation.