CVE-2020-9386
MEDIUMMahara 18.10.0-18.10.5 - Exposure of Sensitive File Metadata to Unauthorized Group Members via Elasticsearch
Title source: llmDescription
In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to that artefact anymore.
References (2)
Core 2
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/mahara/+bug/1840201
Vendor Advisory x_refsource_confirm
https://mahara.org/interaction/forum/topic.php?id=8589
Scores
CVSS v3
4.3
EPSS
0.0100
EPSS Percentile
58.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
mahara/mahara
18.10.0 - 18.10.5
Published
Mar 09, 2020
Tracked Since
Feb 18, 2026