Robertl-9

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 20.10.5 Mahara versions prior to 21.04.4 Mahara versions prior to 21.10.2 Mahara versions prior to 22.04.0 **Description** The issue is related to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable. **Recommendations** For versions prior to 20.10.5, update to version 20.10.5 or later. For versions prior to 21.04.4, update to version 21.04.4 or later. For versions prior to 21.10.2, update to version 21.10.2 or later. For versions prior to 22.04.0, update to version 22.04.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 20.04.5 Mahara versions prior to 20.10.3 Mahara versions prior to 21.04.2 Mahara versions prior to 21.10.0 **Description** The account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure and often escalation of privileges. **Recommendations** For versions prior to 20.04.5, update to version 20.04.5 or later. For versions prior to 20.10.3, update to version 20.10.3 or later. For versions prior to 21.04.2, update to version 21.04.2 or later. For versions prior to 21.10.0, update to version 21.10.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 15.04 through 15.04.7 Mahara versions 15.10 through 15.10.3 Mahara versions 16.04 through 16.04.1 **Description** The issue affects authentication methods that do not utilize Mahara's built-in login form, allowing users to log in even if their institution has been expired or suspended. **Recommendations** For Mahara versions 15.04 through 15.04.7, update to version 15.04.8 to resolve the issue. For Mahara versions 15.10 through 15.10.3, update to version 15.10.4 to resolve the issue. For Mahara versions 16.04 through 16.04.1, update to version 16.04.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 15.04 through 15.04.7 Mahara versions 15.10 through 15.10.3 Mahara versions 16.04 through 16.04.1 **Description** The issue allows profile pictures to be accessed without any access control checks, consequently allowing any of a user's uploaded profile pictures to be viewable by anyone, whether or not they were currently selected as the "default" or used in any pages. **Recommendations** For Mahara versions 15.04 through 15.04.7, update to version 15.04.8 to resolve the issue. For Mahara versions 15.10 through 15.10.3, update to version 15.10.4 to resolve the issue. For Mahara versions 16.04 through 16.04.1, update to version 16.04.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.8 through 1.8.5 Mahara versions 1.9 through 1.9.3 Mahara versions 1.10 through 1.10.0 Mahara versions 15.04 through 15.04.0 **Description** The issue allows group members to lose access to the group files they uploaded if another group member changes the access permissions on them. **Recommendations** For Mahara versions 1.8 through 1.8.5, update to version 1.8.6 or later. For Mahara versions 1.9 through 1.9.3, update to version 1.9.4 or later. For Mahara versions 1.10 through 1.10.0, update to version 1.10.1 or later. For Mahara versions 15.04 through 15.04.0, update to version 15.04.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 15.04 through 15.04.12 Mahara versions 16.04 through 16.04.6 Mahara versions 16.10 through 16.10.3 Mahara versions 17.04 through 17.04.1 **Description** The issue allows plain text passwords to be recorded in the event log table during the user creation process if full event logging was turned on. **Recommendations** For Mahara versions 15.04 through 15.04.12, update to version 15.04.13 or later. For Mahara versions 16.04 through 16.04.6, update to version 16.04.7 or later. For Mahara versions 16.10 through 16.10.3, update to version 16.10.4 or later. For Mahara versions 17.04 through 17.04.1, update to version 17.04.2 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 1.8 through 1.8.6 Mahara versions 1.9 through 1.9.4 Mahara versions 1.10 through 1.10.2 Mahara versions 15.04 through 15.04.0 **Description** The issue allows logged-in users to remain logged in even after the institution they belong to has been suspended. **Recommendations** For Mahara versions 1.8 through 1.8.6, update to version 1.8.7 or later. For Mahara versions 1.9 through 1.9.4, update to version 1.9.5 or later. For Mahara versions 1.10 through 1.10.2, update to version 1.10.3 or later. For Mahara versions 15.04 through 15.04.0, update to a version later than 15.04.0.

**Name of the Vulnerable Software and Affected Versions** Mahara versions 15.04 through 15.04.14 Mahara versions 16.04 through 16.04.8 Mahara versions 16.10 through 16.10.5 Mahara versions 17.04 through 17.04.3 **Description** The issue allows a user to submit potentially dangerous payloads, such as XSS code, to be saved as their first name, last name, or display name in the profile fields. This can cause issues including escalation of privileges or unknown execution of malicious code when replying to messages in Mahara. **Recommendations** For Mahara versions 15.04 through 15.04.14, update to version 15.04.15 or later. For Mahara versions 16.04 through 16.04.8, update to version 16.04.9 or later. For Mahara versions 16.10 through 16.10.5, update to version 16.10.6 or later. For Mahara versions 17.04 through 17.04.3, update to version 17.04.4 or later.

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 15.04.14 Mahara versions 16.x prior to 16.04.8 Mahara versions 16.10.x prior to 16.10.5 Mahara versions 17.x prior to 17.04.3 **Description** An issue allows unauthorized access to a user's account if the browser is closed without logging out of Mahara. The value in the `usr session` table remains, and an attacker can exploit this by adjusting the `mahara` cookie to the old value, thus gaining access to the user's account. **Recommendations** For Mahara versions prior to 15.04.14, update to version 15.04.14 or later. For Mahara versions 16.x prior to 16.04.8, update to version 16.04.8 or later. For Mahara versions 16.10.x prior to 16.10.5, update to version 16.10.5 or later. For Mahara versions 17.x prior to 17.04.3, update to version 17.04.3 or later.