CVE-2024-39335
Mahara · Mahara
An information disclosure vulnerability in Mahara allows institution administrators to access unauthorized data under specific conditions.
Executive summary
A vulnerability in Mahara allows institution administrators to access restricted information, posing a risk to data confidentiality.
Vulnerability
The application incorrectly handles access control logic, allowing authenticated institution administrators to view information they are not permitted to see. This is triggered under specific conditions via the 'Current submission' workflow.
Business impact
This flaw results in a breach of data privacy, as administrators can view sensitive information beyond their authorized scope. With a CVSS score of 9.1, this represents a significant risk to organizational compliance and the privacy of user data stored within the Mahara platform.
Remediation
Immediate Action: Update Mahara to version 24.04.1 or 23.04.6, depending on the current branch in use.
Proactive Monitoring: Review administrative access logs for unusual patterns or queries regarding submission data that fall outside standard operational workflows.
Compensating Controls: Temporarily restrict administrative permissions for the affected 'Current submission' module until the patch can be applied.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Data privacy is paramount for educational and institutional platforms. Security teams must apply the specified patches to the Mahara environment immediately to prevent unauthorized information disclosure and ensure the integrity of sensitive user submissions.