CVSS: 4.3EPSS: 0%CPEs: 72EXPL: 1CVE-2011-2771
https://notcve.org/view.php?id=CVE-2011-2771
Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) URI attributes and (2) the External Feed component, as demonstrated by the guid element in an RSS feed. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Mahara anterior a v1.4.1 permite a atacantes remotos inyectar código web script o HTML a través de vectores relacionado con (1) atributos URI y (2) el componente External Feed, como se demostró por el elemento "guid" en un RSS. • http://secunia.com/advisories/46719 http://security.debian.org/debian-security/pool/updates/main/m/mahara/mahara_1.2.6-2+squeeze3.debian.tar.gz http://www.debian.org/security/2011/dsa-2334 https://bugs.launchpad.net/mahara/+bug/798136 https://launchpad.net/mahara/+milestone/1.4.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 65EXPL: 0CVE-2011-1406
https://notcve.org/view.php?id=CVE-2011-1406
Mahara before 1.3.6 does not properly handle an https URL in the wwwroot configuration setting, which makes it easier for user-assisted remote attackers to obtain credentials by sniffing the network at a time when an http URL is used for a login. Mahara antes de v1.3.6 no controla correctamente una dirección URL https en la configuración de las opciones de wwwroot, que facilita a los atacantes remotos asistidos por el usuario a obtener las credenciales por la escucha de la red en el momento en que se realiza la conexión mediante una URL http. • http://www.debian.org/security/2011/dsa-2246 https://exchange.xforce.ibmcloud.com/vulnerabilities/67400 https://launchpad.net/mahara/+bug/685942 https://launchpad.net/mahara/+milestone/1.3.6 • CWE-16: Configuration •
CVSS: 3.5EPSS: 0%CPEs: 65EXPL: 0CVE-2011-1405
https://notcve.org/view.php?id=CVE-2011-1405
Cross-site scripting (XSS) vulnerability in Mahara before 1.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors associated with HTML e-mail messages, related to artefact/comment/lib.php and interaction/forum/lib.php. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Mahara para versiones anteriores a v1.3.6, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través vectores asociados a los mensajes de correo en HTML, relacionado con artefact/comment/lib.php y interaction/forum/lib.php. • http://secunia.com/advisories/44433 http://www.debian.org/security/2011/dsa-2246 http://www.securityfocus.com/bid/47798 https://exchange.xforce.ibmcloud.com/vulnerabilities/67399 https://launchpad.net/mahara/+bug/772860 https://launchpad.net/mahara/+milestone/1.3.6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 65EXPL: 0CVE-2011-1402
https://notcve.org/view.php?id=CVE-2011-1402
Mahara before 1.3.6 allows remote authenticated users to bypass intended access restrictions, and suspend a user account, edit a view, visit a view, edit a plan artefact, read a plans block, read a plan artefact, edit a blog, read a blog block, read a blog artefact, or access a block, via a request associated with (1) admin/users/search.json.php, (2) view/newviewtoken.json.php, (3) lib/mahara.php, (4) artefact/plans/tasks.json.php, (5) artefact/plans/viewtasks.json.php, (6) artefact/blog/view/index.json.php, (7) artefact/blog/posts.json.php, or (8) blocktype/myfriends/myfriends.json.php, related to incorrect privilege enforcement, a missing user id check, and incorrect enforcement of the Overriding Start/Stop Dates setting. Mahara antes de v1.3.6 permite a usuarios remotos autenticados a eludir las restricciones de acceso previsto, y suspender una cuenta de usuario, editar un punto de vista, visitar una vista, editar un plan de artefactos, leer un bloque de planes, leer un plan de artefactos, editar un blog, leer un bloque de blog, leer un artefacto blog, o acceder a un bloque, a través de una solicitud asociada con (1) admin/users/search.json.php, (2) view/newviewtoken.json.php, (3) lib/mahara.php, (4) artefact/plans/tasks.json.php, (5) artefact/plans/viewtasks.json.php, (6) artefact/blog/view/index.json.php, (7) artefact/blog/posts.json.php, or (8) blocktype/myfriends/myfriends.json.php,relacionados con la aplicación incorrecta de privilegios, comprobación de un usuario no existente y aplicación de la sobrescritura de las fechas de inicio/parada. • http://secunia.com/advisories/44433 http://www.debian.org/security/2011/dsa-2246 http://www.securityfocus.com/bid/47798 https://exchange.xforce.ibmcloud.com/vulnerabilities/67396 https://exchange.xforce.ibmcloud.com/vulnerabilities/67397 https://launchpad.net/mahara/+bug/746182 https://launchpad.net/mahara/+bug/771592 https://launchpad.net/mahara/+bug/771614 https://launchpad.net/mahara/+bug/771623 https://launchpad.net/mahara/+bug/771637 https://launchpad.net/mahara/&# • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 65EXPL: 0CVE-2011-1403
https://notcve.org/view.php?id=CVE-2011-1403
Cross-site request forgery (CSRF) vulnerability in the pieforms implementation in Mahara before 1.3.6 allows remote attackers to hijack the authentication of arbitrary users for requests to any form, related to inappropriate regeneration of session keys. vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la implementación de los pieforms en Mahara anteriores a v1.3,6, permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para peticiones a cualquier formulario, relacionados con una regeneración no apropiada de las claves de sesión. • http://secunia.com/advisories/44433 http://www.debian.org/security/2011/dsa-2246 http://www.securityfocus.com/bid/47798 https://exchange.xforce.ibmcloud.com/vulnerabilities/67398 https://launchpad.net/mahara/+bug/771598 https://launchpad.net/mahara/+milestone/1.3.6 • CWE-352: Cross-Site Request Forgery (CSRF) •