In Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0, a site using Isolated Institutions is vulnerable if more than ten groups are used. They are all shown from page 2 of the group results list (rather than only being shown for the institution that the viewer is a member of).
During installation, installed file permissions are set to allow anyone to modify those files.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Mahara | Mahara | * | 20.10.5 (excluding) |
Mahara | Mahara | 21.04.0 (including) | 21.04.4 (excluding) |
Mahara | Mahara | 21.10.0 (including) | 21.10.2 (excluding) |
Mahara | Mahara | 22.04.0-rc1 (including) | 22.04.0-rc1 (including) |