CVE-2011-1404

Name of the Vulnerable Software and Affected Versions Mahara versions prior to 1.3.6

Description The issue allows remote authenticated users to obtain sensitive information via certain requests. This is due to the improper restriction of data in responses to AJAX calls. The affected API endpoints include "blocktype/myfriends/myfriends.json.php", "json/usersearch.php", "group/membersearchresults.json.php", and "json/friendsearch.php". This can lead to the exposure of information about friends and e-mail addresses.

Recommendations For Mahara versions prior to 1.3.6, update to version 1.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints until a patch is available.