threat
engine
.sh
Back
·
··:··
Home
/
Product
/
mahara
Product
mahara
110 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2024-47192
< 23.04.9
An issue was discovered in Mahara 23.04.8 and 24.04.4. The use of a malicious export download URL can allow an attacker to downloa
5.3
MEDIUM
CVE-2024-35203
< 22.10.6
Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name
6.1
MEDIUM
CVE-2024-39335
>= 23.04.0 and < 23.04.6
Supported versions of Mahara 24.04 before 24.04.1 and 23.04 before 23.04.6 are vulnerable to information being disclosed to an ins
9.1
CRITICAL
CVE-2025-29992
< 24.04.9
Mahara before 24.04.9 exposes database connection information if the database becomes unreachable, e.g., due to the database serve
7.5
HIGH
CVE-2024-47853
< 23.04.9
An issue was discovered in Mahara 23.04.8 and 24.04.4. Attackers may utilize escalation of privileges in certain cases when loggin
8.8
HIGH
CVE-2024-45753
< 23.04.9
In Mahara 23.04.8 and 24.04.4, the external RSS feed block can cause XSS if the external feed XML has a malicious value for the li
6.1
MEDIUM
CVE-2024-39923
>= 23.04.0 and < 23.04.7
An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be
6.1
MEDIUM
CVE-2023-47799
< 22.10.4
Mahara before 22.10.4 and 23.x before 23.04.4 allows information disclosure if the experimental HTML bulk export is used via the a
7.5
HIGH
CVE-2022-45133
>= 21.10.0 and < 21.10.6
Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 allows unsafe font upload for skins. A particularly st
6.5
MEDIUM
CVE-2022-45134
>= 21.10.0 and < 21.10.6
Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 deserializes user input unsafely during skin import. A
9.8
CRITICAL
CVE-2022-44544
>= 21.04.0 and < 21.04.7
Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 potentially allow a PDF export t
9.8
CRITICAL
CVE-2022-42707
>= 21.04.0 and < 21.04.7
In Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0, embedded images are accessib
7.5
HIGH
CVE-2022-33913
>= 21.04.0 and < 21.04.6
In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no per
7.5
HIGH
CVE-2022-29585
< 20.10.5
In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups
7.5
HIGH
CVE-2022-29584
< 20.10.5
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for em
5.4
MEDIUM
CVE-2022-28892
< 20.10.5
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated
8.8
HIGH
CVE-2022-24111
>= 21.04.0 and < 21.04.3
In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group mem
5.3
MEDIUM
CVE-2022-24694
>= 20.10.0 and < 20.10.4
In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the Files area can be seen
4.3
MEDIUM
CVE-2021-40849
< 20.04.5
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being e
9.8
CRITICAL
CVE-2021-40848
< 20.04.5
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program co
7.8
HIGH
CVE-2021-43266
>= 20.04.0 and < 20.04.5
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exporting collections via PDF export could lead to code execution via she
7.3
HIGH
CVE-2021-43265
>= 20.04.0 and < 20.04.5
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, certain tag syntax could be used for XSS, such as via a SCRIPT element.
5.4
MEDIUM
CVE-2021-43264
>= 20.04.0 and < 20.04.5
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, adjusting the path component for the page help file allows attackers to b
3.3
LOW
CVE-2020-23052
all versions
Catalyst IT Ltd Mahara CMS v19.10.2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component
5.4
MEDIUM
CVE-2021-29349
all versions
Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. Th
6.5
MEDIUM
CVE-2020-15907
>= 19.04 and < 19.04.6
In Mahara 19.04 before 19.04.6, 19.10 before 19.10.4, and 20.04 before 20.04.1, certain places could execute file or folder names
6.1
MEDIUM
CVE-2020-9387
>= 19.04 and < 19.04.5
In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account details are shared in the Elasticsearch results for accounts that
4.3
MEDIUM
CVE-2020-9386
>= 18.10.0 and < 18.10.5
In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group me
4.3
MEDIUM
CVE-2020-9282
>= 18.10.0 and < 18.10.5
In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, certain personal information is discoverable inspe
6.5
MEDIUM
CVE-2012-2237
>= 1.4.0 and < 1.4.3
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.3 and 1.5.x before 1.5.2 allow remote attackers to
6.1
MEDIUM
CVE-2013-1426
< 1.5.9
Cross-site Scripting (XSS) in Mahara before 1.5.9 and 1.6.x before 1.6.4 allows remote attackers to inject arbitrary web script or
6.1
MEDIUM
CVE-2019-9708
>= 17.10.0 and < 17.10.8
An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. A site administrator can s
4.9
MEDIUM
CVE-2019-9709
>= 17.10.0 and < 17.10.8
An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vu
5.4
MEDIUM
CVE-2018-11196
>= 17.04.0 and < 17.04.8
Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 can be used as medium to transmit viruses by placing
7.5
HIGH
CVE-2018-11195
>= 17.04.0 and < 17.04.8
Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to the browser "back and refresh" att
6.8
MEDIUM
CVE-2018-11565
>= 17.04.0 and < 17.04.8
Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to mentioning the usernames that are
5.3
MEDIUM
CVE-2018-6182
>= 16.10 and < 16.10.9
Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed
6.1
MEDIUM
CVE-2017-17455
>= 16.10.0 and < 16.10.7
Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2 are vulnerable to being forced, via a man-in-the-middl
5.9
MEDIUM
CVE-2017-17454
>= 16.10.0 and < 16.10.7
Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when
5.4
MEDIUM
CVE-2017-1000141
< 18.10.0
An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain
6.5
MEDIUM
CVE-2017-1000171
<= 1.2.0
Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to the Mahara access log in plain text.
9.8
CRITICAL
CVE-2017-1000157
all versions
Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and 16.10 before 16.10.4 and 17.04 before 17.04.2 are vulnerable to recordin
4.4
MEDIUM
CVE-2017-1000156
all versions
Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before 16.04.3 are vulnerable to a group's configuration page being
6.5
MEDIUM
CVE-2017-1000155
all versions
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to profile pictures being accessed wi
4.3
MEDIUM
CVE-2017-1000154
all versions
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to some authentication methods, which
9.8
CRITICAL
CVE-2017-1000153
all versions
Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after th
9.8
CRITICAL
CVE-2017-1000152
all versions
Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 running PHP 5.3 are vulnerable to one user being logged in as another user on
9.8
CRITICAL
CVE-2017-1000151
all versions
Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before 16.04.3 are vulnerable to passwords or other sensitive infor
7.5
HIGH
CVE-2017-1000150
all versions
Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logo
8.8
HIGH
CVE-2017-1000149
all versions
Mahara 1.10 before 1.10.9 and 15.04 before 15.04.6 and 15.10 before 15.10.2 are vulnerable to XSS due to window.opener (target="_b
5.4
MEDIUM
CVE-2017-1000148
all versions
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to PHP code execution as Mahara would
8.8
HIGH
CVE-2017-1000147
all versions
Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04.3 are vulnerable to perform a cross-site request forgery (CS
6.8
MEDIUM
CVE-2017-1000146
all versions
Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to the arbitrary execution of Javascript in
5.4
MEDIUM
CVE-2017-1000145
all versions
Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to anonymous comments being able to be plac
4.9
MEDIUM
CVE-2017-1000144
all versions
Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04.1 are vulnerable to a site admin or institution admin being
4.8
MEDIUM
CVE-2017-1000143
all versions
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to users receiving wat
4.3
MEDIUM
CVE-2017-1000142
all versions
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to users being able to
6.5
MEDIUM
CVE-2017-1000140
all versions
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously creat
5.4
MEDIUM
CVE-2017-1000139
all versions
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to server-side request
8.0
HIGH
CVE-2017-1000138
all versions
Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when dragging/dropping files in
5.4
MEDIUM
CVE-2017-1000137
all versions
Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when adding a text block to a p
5.4
MEDIUM
CVE-2017-1000136
all versions
Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not be
6.5
MEDIUM
CVE-2017-1000135
all versions
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can
6.5
MEDIUM
CVE-2017-1000134
all versions
Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable because group members
8.1
HIGH
CVE-2017-1000133
all versions
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to a user - in some circumstances cau
7.5
HIGH
CVE-2017-1000132
all versions
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously creat
4.8
MEDIUM
CVE-2017-1000131
all versions
Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their M
6.5
MEDIUM
CVE-2017-15273
all versions
Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submit
5.4
MEDIUM
CVE-2017-14752
all versions
Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submit
5.4
MEDIUM
CVE-2017-14163
all versions
An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8, 16.10.x before 16.10.5, and 17.x before 17.04.3. When one
8.8
HIGH
CVE-2017-9551
all versions
Mahara 15.04 before 15.04.14 and 16.04 before 16.04.8 and 16.10 before 16.10.5 and 17.04 before 17.04.3 are vulnerable to a user s
6.1
MEDIUM
CVE-2013-4432
<= 1.5.12
Mahara before 1.5.13, 1.6.x before 1.6.8, and 1.7.x before 1.7.4 does not properly restrict access to folders, which allows remote
CVE-2013-4431
<= 1.5.11
Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly prevent access to blocks, which allows remote a
CVE-2013-4430
<= 1.5.11
Cross-site scripting (XSS) vulnerability in Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 allows remote attacke
CVE-2013-4429
<= 1.5.11
Mahara before 1.5.12, 1.6.x before 1.6.7, and 1.7.x before 1.7.3 does not properly restrict access to artefacts, which allows remo
CVE-2012-6037
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4, and other versions includ
CVE-2012-2253
all versions
Cross-site scripting (XSS) vulnerability in group/members.php in Mahara 1.5.x before 1.5.7 and 1.6.x before 1.6.2 allows remote at
CVE-2012-2247
all versions
Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arb
CVE-2012-2246
all versions
Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to conduct clickjacking attacks to delete arbitrary users
CVE-2012-2244
all versions
Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote authenticated administrators to execute arbitrary programs by modif
CVE-2012-2243
all versions
Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arb
CVE-2012-2239
>= 1.4.0 and < 1.4.4
Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an
9.1
CRITICAL
CVE-2012-2351
<= 1.4.1
The default configuration of the auth/saml plugin in Mahara before 1.4.2 sets the "Match username attribute to Remote username" op
CVE-2011-4118
<= 1.4.0
Mahara before 1.4.1, when MNet (aka the Moodle network feature) is used, allows remote authenticated users to gain privileges via
CVE-2011-2774
all versions
The "Reply to message" feature in Mahara 1.3.x and 1.4.x before 1.4.1 allows remote authenticated users to read the messages of a
CVE-2011-2773
<= 1.4.0
Cross-site request forgery (CSRF) vulnerability in Mahara before 1.4.1 allows remote attackers to hijack the authentication of adm
CVE-2011-2772
<= 1.4.0
The get_dataroot_image_path function in lib/file.php in Mahara before 1.4.1 does not properly validate uploaded image files, which
CVE-2011-2771
<= 1.4.0
Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.4.1 allow remote attackers to inject arbitrary web script o
CVE-2011-1406
<= 1.3.5
Mahara before 1.3.6 does not properly handle an https URL in the wwwroot configuration setting, which makes it easier for user-ass
CVE-2011-1405
<= 1.3.5
Cross-site scripting (XSS) vulnerability in Mahara before 1.3.6 allows remote authenticated users to inject arbitrary web script o
CVE-2011-1404
<= 1.3.5
Mahara before 1.3.6 does not properly restrict the data in responses to AJAX calls, which allows remote authenticated users to obt
CVE-2011-1403
<= 1.3.5
Cross-site request forgery (CSRF) vulnerability in the pieforms implementation in Mahara before 1.3.6 allows remote attackers to h
CVE-2011-1402
<= 1.3.5
Mahara before 1.3.6 allows remote authenticated users to bypass intended access restrictions, and suspend a user account, edit a v
CVE-2011-0440
all versions
Cross-site request forgery (CSRF) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to hij
CVE-2011-0439
all versions
Cross-site scripting (XSS) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to inject arb
CVE-2010-3871
<= 1.3.2
Cross-site scripting (XSS) vulnerability in blocktype/groupviews/theme/raw/groupviews.tpl in Mahara before 1.3.3 allows remote att
CVE-2010-2479
<= 1.0.14
Cross-site scripting (XSS) vulnerability in HTML Purifier before 4.1.1, as used in Mahara and other products, when the browser is
CVE-2010-1670
<= 1.0.14
Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins ass
CVE-2010-1669
all versions
SQL injection vulnerability in Mahara 1.1.x before 1.1.9 and 1.2.x before 1.2.5 allows remote attackers to execute arbitrary SQL c
CVE-2010-1668
<= 1.0.14
Multiple cross-site request forgery (CSRF) vulnerabilities in Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 all
CVE-2010-1667
<= 1.0.14
Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 allow remo
CVE-2010-0400
all versions
SQL injection vulnerability in lib/user.php in mahara 1.0.4 allows remote attackers to execute arbitrary SQL commands via a userna
CVE-2009-3299
<= 1.0.12
Cross-site scripting (XSS) vulnerability in the resume blocktype in Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote at
CVE-2009-3298
<= 1.0.12
Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote authenticated institution administrators to reset a site administrator
CVE-2009-2171
all versions
Mahara 1.1 before 1.1.5 does not apply permission checks when saving a view that contains artefacts, which allows remote authentic
CVE-2009-2170
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0 before 1.0.12 and 1.1 before 1.1.5 allow remote attackers to inj
CVE-2009-0664
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0.x before 1.0.11 and 1.1.x before 1.1.3 allow remote attackers to
CVE-2009-0660
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0 before 1.0.10 and 1.1 before 1.1.2 allow remote attackers to inj
CVE-2009-0487
<= 1.0.8
Cross-site scripting (XSS) vulnerability in Mahara before 1.0.9 allows remote attackers to inject arbitrary web script or HTML via
CVE-2008-0381
<= 0.9.0
Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scri
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin