CVE-2012-2239
CRITICALMahara 1.4.0-1.4.3 and 1.5.0-1.5.2 - XML External Entity Injection
Title source: llmDescription
Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.
References (3)
Core 3
Core References
Mailing List vendor-advisory
x_refsource_debian
http://www.debian.org/security/2012/dsa-2591
Issue Tracking, Patch x_refsource_confirm
https://bugs.launchpad.net/mahara/+bug/1047111
Vendor Advisory x_refsource_confirm
https://mahara.org/interaction/forum/topic.php?id=4869
Scores
CVSS v3
9.1
EPSS
0.0155
EPSS Percentile
71.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-611
Status
published
Products (2)
debian/debian_linux
6.0
mahara/mahara
1.4.0 - 1.4.4
Published
Nov 24, 2012
Tracked Since
Feb 18, 2026