Saksham Anand

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 20.04.5 Mahara versions prior to 20.10.3 Mahara versions prior to 21.04.2 Mahara versions prior to 21.10.0 **Description** The issue allows exported CSV files to contain characters that a spreadsheet program could interpret as a command, leading to the execution of a malicious string locally on a device. This is known as CSV injection. **Recommendations** For versions prior to 20.04.5, update to version 20.04.5 or later. For versions prior to 20.10.3, update to version 20.10.3 or later. For versions prior to 21.04.2, update to version 21.04.2 or later. For versions prior to 21.10.0, update to version 21.10.0 or later.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton Greenlight versions prior to 2.5.6 **Description** The issue allows HTTP header attacks, specifically targeting the Host and Origin headers, which can lead to account takeover. This can occur when a victim follows a spoofed password-reset link. **Recommendations** For versions prior to 2.5.6, update to version 2.5.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.2.4 **Description** The issue allows for XSS via closed captions due to the use of `dangerouslySetInnerHTML` in React. **Recommendations** For versions prior to 2.2.4, update to version 2.2.4 or later to resolve the issue.