Mahara: >> Mahara >> 22.10.4 Security Vulnerabilities
Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara filebrowser system.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-08-26
An issue was discovered in Mahara 23.04.8 and 24.04.4. The use of a malicious export download URL can allow an attacker to download files that they do not have permission to download.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-08-26
Mahara before 24.04.9 exposes database connection information if the database becomes unreachable, e.g., due to the database server being temporarily down or too busy.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-08-26
An issue was discovered in Mahara 23.04.8 and 24.04.4. Attackers may utilize escalation of privileges in certain cases when logging into Mahara with Learning Tools Interoperability (LTI).
CVSS Score
8.8
EPSS Score
0.001
Published
2025-08-26
In Mahara 23.04.8 and 24.04.4, the external RSS feed block can cause XSS if the external feed XML has a malicious value for the link attribute.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-08-26