Page 5 of 32 results (0.003 seconds)

CVSS: 4.0EPSS: 0%CPEs: 65EXPL: 0

Mahara before 1.3.6 does not properly restrict the data in responses to AJAX calls, which allows remote authenticated users to obtain sensitive information via a request associated with (1) blocktype/myfriends/myfriends.json.php, (2) json/usersearch.php, (3) group/membersearchresults.json.php, or (4) json/friendsearch.php, as demonstrated by information about friends and e-mail addresses. Mahara antes de v1.3.6 no restringe correctamente los datos en las respuestas a las llamadas AJAX, que permite a usuarios remotos autenticados a obtener información sensible a través de una solicitud asociada con (1) blocktype/MyFriends/myfriends.json.php ,(2) json/usersearch.php,(3) group/membersearchresults.json.php, o (4)json/friendsearch.php, como lo demuestra la información sobre amigos y direcciones de correo electrónico. • http://secunia.com/advisories/44433 http://www.debian.org/security/2011/dsa-2246 http://www.securityfocus.com/bid/47798 https://exchange.xforce.ibmcloud.com/vulnerabilities/67395 https://launchpad.net/mahara/+bug/772140 https://launchpad.net/mahara/+bug/772160 https://launchpad.net/mahara/+bug/772174 https://launchpad.net/mahara/+bug/772179 https://launchpad.net/mahara/+milestone/1.3.6 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 62EXPL: 0

Cross-site scripting (XSS) vulnerability in blocktype/groupviews/theme/raw/groupviews.tpl in Mahara before 1.3.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados en blocktype/groupviews/theme/raw/groupviews.tpl En Mahara anterior v1.3.3 permite a atacantes remotos inyectar código web o HTML de su elección a tarvés de vectores no especificados. NOTA: algunos de estos detalles han sido obtenidos de terceras partes. • http://secunia.com/advisories/42152 http://wiki.mahara.org/Release_Notes/1.3.3 http://www.securityfocus.com/bid/44705 https://exchange.xforce.ibmcloud.com/vulnerabilities/63052 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 1%CPEs: 49EXPL: 0

Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information. Mahara anterior v1.0.15, v1.1.x anterior v1.1.9, y v1.2.x anterior v1.2.5 posee opciones de configuración inadecuadas para plugins de autenticación asociados con identificaciones que usa la funcionalidad single sign-on (SSO), permitiendo a atacantes remotos superar la autenticación a través de una password vacía. NOTA: algunos de estos detalles han sido obtenidos de información de terceros. • http://secunia.com/advisories/40431 http://wiki.mahara.org/Release_Notes/1.0.15 http://wiki.mahara.org/Release_Notes/1.1.9 http://wiki.mahara.org/Release_Notes/1.2.5 http://www.securityfocus.com/bid/41319 • CWE-287: Improper Authentication •

CVSS: 4.3EPSS: 0%CPEs: 127EXPL: 0

Cross-site scripting (XSS) vulnerability in HTML Purifier before 4.1.1, as used in Mahara and other products, when the browser is Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en HTML Purifier anterior v4.1.1, como el usado en Mahara y otros productos, cuando el navegador es Internet Explorer, permite a atacantes remotos inyectar código web o HTML de su elección a través de vectores no especificados. • http://htmlpurifier.org/news/2010/0531-4.1.1-released http://repo.or.cz/w/htmlpurifier.git/commitdiff/18e538317a877a0509ae71a860429c41770da230 http://secunia.com/advisories/39613 http://secunia.com/advisories/40431 http://wiki.mahara.org/Release_Notes/1.0.15 http://wiki.mahara.org/Release_Notes/1.1.9 http://wiki.mahara.org/Release_Notes/1.2.5 http://www.securityfocus.com/bid/41259 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 49EXPL: 0

Multiple cross-site request forgery (CSRF) vulnerabilities in Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Mahara anterior v1.0.15, v1.1.x anterior v1.1.9, y 1.2.x anteior v1.2.5 permite a atacantes remotos secuestar la autenticación de víctimas no especificadas a través de vectores desconocidos. • http://secunia.com/advisories/40431 http://wiki.mahara.org/Release_Notes/1.0.15 http://wiki.mahara.org/Release_Notes/1.1.9 http://wiki.mahara.org/Release_Notes/1.2.5 http://www.securityfocus.com/bid/41319 https://exchange.xforce.ibmcloud.com/vulnerabilities/59994 • CWE-352: Cross-Site Request Forgery (CSRF) •