CVE-2021-40848

HIGH

Mahara <21.10.0 - Code Injection

Title source: llm

Description

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command, leading to execution of a malicious string locally on a device, aka CSV injection.

References (2)

[Vendor Advisory] https://bugs.launchpad.net/mahara/+bug/1930471

[Vendor Advisory] https://mahara.org/interaction/forum/topic.php?id=8950

Scores

CVSS v3 7.8

EPSS 0.0045

EPSS Percentile 63.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (2)

mahara/mahara 21.10.0 rc1 (2 CPE variants)

mahara/mahara < 20.04.5

Published Nov 03, 2021

Tracked Since Feb 18, 2026