CVSS: 3.5EPSS: 0%CPEs: 65EXPL: 0CVE-2011-1405
https://notcve.org/view.php?id=CVE-2011-1405
Cross-site scripting (XSS) vulnerability in Mahara before 1.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors associated with HTML e-mail messages, related to artefact/comment/lib.php and interaction/forum/lib.php. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en Mahara para versiones anteriores a v1.3.6, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través vectores asociados a los mensajes de correo en HTML, relacionado con artefact/comment/lib.php y interaction/forum/lib.php. • http://secunia.com/advisories/44433 http://www.debian.org/security/2011/dsa-2246 http://www.securityfocus.com/bid/47798 https://exchange.xforce.ibmcloud.com/vulnerabilities/67399 https://launchpad.net/mahara/+bug/772860 https://launchpad.net/mahara/+milestone/1.3.6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 65EXPL: 0CVE-2011-1402
https://notcve.org/view.php?id=CVE-2011-1402
Mahara before 1.3.6 allows remote authenticated users to bypass intended access restrictions, and suspend a user account, edit a view, visit a view, edit a plan artefact, read a plans block, read a plan artefact, edit a blog, read a blog block, read a blog artefact, or access a block, via a request associated with (1) admin/users/search.json.php, (2) view/newviewtoken.json.php, (3) lib/mahara.php, (4) artefact/plans/tasks.json.php, (5) artefact/plans/viewtasks.json.php, (6) artefact/blog/view/index.json.php, (7) artefact/blog/posts.json.php, or (8) blocktype/myfriends/myfriends.json.php, related to incorrect privilege enforcement, a missing user id check, and incorrect enforcement of the Overriding Start/Stop Dates setting. Mahara antes de v1.3.6 permite a usuarios remotos autenticados a eludir las restricciones de acceso previsto, y suspender una cuenta de usuario, editar un punto de vista, visitar una vista, editar un plan de artefactos, leer un bloque de planes, leer un plan de artefactos, editar un blog, leer un bloque de blog, leer un artefacto blog, o acceder a un bloque, a través de una solicitud asociada con (1) admin/users/search.json.php, (2) view/newviewtoken.json.php, (3) lib/mahara.php, (4) artefact/plans/tasks.json.php, (5) artefact/plans/viewtasks.json.php, (6) artefact/blog/view/index.json.php, (7) artefact/blog/posts.json.php, or (8) blocktype/myfriends/myfriends.json.php,relacionados con la aplicación incorrecta de privilegios, comprobación de un usuario no existente y aplicación de la sobrescritura de las fechas de inicio/parada. • http://secunia.com/advisories/44433 http://www.debian.org/security/2011/dsa-2246 http://www.securityfocus.com/bid/47798 https://exchange.xforce.ibmcloud.com/vulnerabilities/67396 https://exchange.xforce.ibmcloud.com/vulnerabilities/67397 https://launchpad.net/mahara/+bug/746182 https://launchpad.net/mahara/+bug/771592 https://launchpad.net/mahara/+bug/771614 https://launchpad.net/mahara/+bug/771623 https://launchpad.net/mahara/+bug/771637 https://launchpad.net/mahara/&# • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 65EXPL: 0CVE-2011-1403
https://notcve.org/view.php?id=CVE-2011-1403
Cross-site request forgery (CSRF) vulnerability in the pieforms implementation in Mahara before 1.3.6 allows remote attackers to hijack the authentication of arbitrary users for requests to any form, related to inappropriate regeneration of session keys. vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la implementación de los pieforms en Mahara anteriores a v1.3,6, permite a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para peticiones a cualquier formulario, relacionados con una regeneración no apropiada de las claves de sesión. • http://secunia.com/advisories/44433 http://www.debian.org/security/2011/dsa-2246 http://www.securityfocus.com/bid/47798 https://exchange.xforce.ibmcloud.com/vulnerabilities/67398 https://launchpad.net/mahara/+bug/771598 https://launchpad.net/mahara/+milestone/1.3.6 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.0EPSS: 0%CPEs: 65EXPL: 0CVE-2011-1404
https://notcve.org/view.php?id=CVE-2011-1404
Mahara before 1.3.6 does not properly restrict the data in responses to AJAX calls, which allows remote authenticated users to obtain sensitive information via a request associated with (1) blocktype/myfriends/myfriends.json.php, (2) json/usersearch.php, (3) group/membersearchresults.json.php, or (4) json/friendsearch.php, as demonstrated by information about friends and e-mail addresses. Mahara antes de v1.3.6 no restringe correctamente los datos en las respuestas a las llamadas AJAX, que permite a usuarios remotos autenticados a obtener información sensible a través de una solicitud asociada con (1) blocktype/MyFriends/myfriends.json.php ,(2) json/usersearch.php,(3) group/membersearchresults.json.php, o (4)json/friendsearch.php, como lo demuestra la información sobre amigos y direcciones de correo electrónico. • http://secunia.com/advisories/44433 http://www.debian.org/security/2011/dsa-2246 http://www.securityfocus.com/bid/47798 https://exchange.xforce.ibmcloud.com/vulnerabilities/67395 https://launchpad.net/mahara/+bug/772140 https://launchpad.net/mahara/+bug/772160 https://launchpad.net/mahara/+bug/772174 https://launchpad.net/mahara/+bug/772179 https://launchpad.net/mahara/+milestone/1.3.6 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 0%CPEs: 24EXPL: 0CVE-2011-0440
https://notcve.org/view.php?id=CVE-2011-0440
Cross-site request forgery (CSRF) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that delete blogs. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Mahara v1.2.x anteriores a v1.2.7 y v1.3.x anteriores a V1.3.4 , permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones de borrado de Blogs. • http://mahara.org/interaction/forum/topic.php?id=3206 http://mahara.org/interaction/forum/topic.php?id=3208 http://secunia.com/advisories/43858 http://www.debian.org/security/2011/dsa-2206 http://www.securityfocus.com/bid/47033 https://exchange.xforce.ibmcloud.com/vulnerabilities/66326 • CWE-352: Cross-Site Request Forgery (CSRF) •