PT-2018-10391 · Cisco+1 · Clamav+1
Swe Zin Lynn
·
Published
2018-06-01
·
Updated
2018-07-03
·
CVE-2018-11196
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Mahara versions 17.04 through 17.04.7
Mahara versions 17.10 through 17.10.4
Mahara versions 18.04 through 18.04.0
Description
The issue allows malicious files to be uploaded and made available for download by placing infected files into a Leap2A archive. Unlike other ZIP files, ClamAV does not check Leap2A archives for viruses when activated. Although files cannot be executed on Mahara itself, it can be used as a medium to transfer such files to user computers.
Recommendations
For Mahara versions 17.04 through 17.04.7, update to version 17.04.8 or later.
For Mahara versions 17.10 through 17.10.4, update to version 17.10.5 or later.
For Mahara versions 18.04 through 18.04.0, update to version 18.04.1 or later.
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Clamav
Mahara