CVE-2022-29585
HIGHMahara < 20.10.5, 21.04.4, 21.10.2, 22.04.0 - Unauthorized Group Data Exposure via Isolated Institutions
Title source: llmDescription
In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being shown for the institution that the viewer is a member of).
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://bugs.launchpad.net/mahara/+bug/1922226
Vendor Advisory x_refsource_misc
https://mahara.org/interaction/forum/topic.php?id=9093
Scores
CVSS v3
7.5
EPSS
0.0095
EPSS Percentile
56.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-276
Status
published
Products (2)
mahara/mahara
22.04.0 rc1
mahara/mahara
< 20.10.5
Published
Apr 28, 2022
Tracked Since
Feb 18, 2026