PT-2020-20627 · Catalyst It · Mahara
Lisa Seeto
+1
·
Published
2020-03-09
·
Updated
2022-10-07
·
CVE-2020-9386
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mahara versions 18.10 through 18.10.4
Mahara versions 19.04 through 19.04.3
Mahara versions 19.10 through 19.10.1
Description
The issue concerns the disclosure of file metadata information to group members in the Elasticsearch result list, despite them not having access to the artefact anymore. This occurs due to a problem where access controls are not properly enforced, leading to unauthorized disclosure of information.
Recommendations
For Mahara versions 18.10 through 18.10.4, update to version 18.10.5 or later.
For Mahara versions 19.04 through 19.04.3, update to version 19.04.4 or later.
For Mahara versions 19.10 through 19.10.1, update to version 19.10.2 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mahara