0Xbaz

Name of the Vulnerable Software and Affected Versions: Mahara version 20.10 Description: The issue allows a remote attacker to remove inbox-mail on the server due to a Cross Site Request Forgery (CSRF) vulnerability. The application fails to validate the CSRF token for a POST request. An attacker can craft a "module/multirecipientnotification/inbox.php pieform delete all notifications" request, which leads to removing all messages from a mailbox. Recommendations: For Mahara version 20.10, as a temporary workaround, consider disabling the `pieform delete all notifications` function in the `module/multirecipientnotification/inbox.php` endpoint until a patch is available. Restrict access to the `inbox.php` module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.