CVSS: 4.0EPSS: 0%CPEs: 18EXPL: 0CVE-2011-2774
https://notcve.org/view.php?id=CVE-2011-2774
The "Reply to message" feature in Mahara 1.3.x and 1.4.x before 1.4.1 allows remote authenticated users to read the messages of a different user via a modified replyto parameter. La característica "Reply to message" en Mahara v1.3.x y v1.4.x, antes de v1.4.1, permite a usuarios autenticados remotamente leer mensajes de un usuario diferente a través de un parámetro replyto modificado • http://secunia.com/advisories/46719 https://launchpad.net/bugs/798128 https://launchpad.net/mahara/+milestone/1.4.1 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 72EXPL: 0CVE-2011-2773
https://notcve.org/view.php?id=CVE-2011-2773
Cross-site request forgery (CSRF) vulnerability in Mahara before 1.4.1 allows remote attackers to hijack the authentication of administrators for requests that add a user to an institution. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Mahara anterior a v1.4.1 permite a atacantes remotos secuestrar la autenticación de administradores para peticiones que añaden un usuario a "institution". • http://secunia.com/advisories/46719 http://security.debian.org/debian-security/pool/updates/main/m/mahara/mahara_1.2.6-2+squeeze3.debian.tar.gz http://www.debian.org/security/2011/dsa-2334 https://bugs.launchpad.net/mahara/+bug/800032 https://launchpad.net/mahara/+milestone/1.4.1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 1%CPEs: 72EXPL: 0CVE-2011-2772
https://notcve.org/view.php?id=CVE-2011-2772
The get_dataroot_image_path function in lib/file.php in Mahara before 1.4.1 does not properly validate uploaded image files, which allows remote attackers to cause a denial of service (memory consumption) via a (1) large or (2) invalid image. La función get_dataroot_image_path en lib/file.php en Mahara anterior a v1.4.1 no valida adecuadamente la subida de imagenes, lo que permite a atacantes remotos provocar una denegación de servicio (consumo de memoria) a través de (1) imagen no válida o (2)grande. • http://secunia.com/advisories/46719 http://security.debian.org/debian-security/pool/updates/main/m/mahara/mahara_1.2.6-2+squeeze3.debian.tar.gz http://www.debian.org/security/2011/dsa-2334 https://bugs.launchpad.net/mahara/+bug/784978 https://launchpad.net/mahara/+milestone/1.4.1 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 72EXPL: 1CVE-2011-2771
https://notcve.org/view.php?id=CVE-2011-2771
Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) URI attributes and (2) the External Feed component, as demonstrated by the guid element in an RSS feed. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Mahara anterior a v1.4.1 permite a atacantes remotos inyectar código web script o HTML a través de vectores relacionado con (1) atributos URI y (2) el componente External Feed, como se demostró por el elemento "guid" en un RSS. • http://secunia.com/advisories/46719 http://security.debian.org/debian-security/pool/updates/main/m/mahara/mahara_1.2.6-2+squeeze3.debian.tar.gz http://www.debian.org/security/2011/dsa-2334 https://bugs.launchpad.net/mahara/+bug/798136 https://launchpad.net/mahara/+milestone/1.4.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •