Mike Haworth

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.4.x through 1.4.3 Mahara versions 1.5.x through 1.5.2 **Description** The issue allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack. This can be demonstrated by reading the config.php file. **Recommendations** For Mahara versions 1.4.x through 1.4.3, update to version 1.4.4 or later. For Mahara versions 1.5.x through 1.5.2, update to version 1.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.4.x through 1.4.4 Mahara versions 1.5.x through 1.5.3 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML by uploading an XML file with the xhtml extension, which is rendered inline as script. **Recommendations** For Mahara versions 1.4.x through 1.4.4, update to version 1.4.5 or later. For Mahara versions 1.5.x through 1.5.3, update to version 1.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.4.x through 1.4.4 Mahara versions 1.5.x through 1.5.3 **Description** The issue allows remote authenticated administrators to execute arbitrary programs by modifying the path to `clamav`. It can also be exploited without authentication by leveraging another vulnerability. **Recommendations** For Mahara versions 1.4.x through 1.4.4, update to version 1.4.5 or later. For Mahara versions 1.5.x through 1.5.3, update to version 1.5.4 or later.