CVE-2021-40849

CRITICAL

Mahara <20.04.5-21.10.0 - Info Disclosure

Title source: llm

Description

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://bugs.launchpad.net/mahara/+bug/1930469

Vendor Advisory x_refsource_misc

https://mahara.org/interaction/forum/topic.php?id=8949

Scores

CVSS v3 9.8

EPSS 0.0131

EPSS Percentile 66.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-613

Status published

Products (2)

mahara/mahara 21.10.0 rc1 (2 CPE variants)

mahara/mahara < 20.04.5

Published Nov 03, 2021

Tracked Since Feb 18, 2026