CVE-2021-29349

MEDIUM

Mahara 20.10 - Cross-Site Request Forgery via Inbox Mail Deletion

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-29349. PoCs published by Vulnmachines.

AI-analyzed exploit summary The repository contains only a README with a CVE title and a link to an external GitHub profile, lacking any technical details or exploit code. It appears to be a placeholder or lure rather than a legitimate PoC.

Description

Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox.

Exploits (1)

nomisec SUSPICIOUS 1 stars

by Vulnmachines · poc

https://github.com/Vulnmachines/CVE-2021-29349

View Code ZIP pw:eip

The repository contains only a README with a CVE title and a link to an external GitHub profile, lacking any technical details or exploit code. It appears to be a placeholder or lure rather than a legitimate PoC.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Mahara 20.10

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/0xBaz/CVE-2021-29349/issues/1

Scores

CVSS v3 6.5

EPSS 0.0155

EPSS Percentile 71.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-352

Status published

Products (1)

mahara/mahara 20.10

Published Mar 31, 2021

Tracked Since Feb 18, 2026