CVE-2021-29349

Name of the Vulnerable Software and Affected Versions: Mahara version 20.10

Description: The issue allows a remote attacker to remove inbox-mail on the server due to a Cross Site Request Forgery (CSRF) vulnerability. The application fails to validate the CSRF token for a POST request. An attacker can craft a "module/multirecipientnotification/inbox.php pieform delete all notifications" request, which leads to removing all messages from a mailbox.

Recommendations: For Mahara version 20.10, as a temporary workaround, consider disabling the pieform delete all notifications function in the module/multirecipientnotification/inbox.php endpoint until a patch is available. Restrict access to the inbox.php module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.