CVE-2024-39335

Mahara · Mahara

An information disclosure vulnerability in Mahara allows institution administrators to access unauthorized data under specific conditions.

Executive summary

A vulnerability in Mahara allows institution administrators to access restricted information, posing a risk to data confidentiality.

Vulnerability

The application incorrectly handles access control logic, allowing authenticated institution administrators to view information they are not permitted to see. This is triggered under specific conditions via the 'Current submission' workflow.

Business impact

This flaw results in a breach of data privacy, as administrators can view sensitive information beyond their authorized scope. With a CVSS score of 9.1, this represents a significant risk to organizational compliance and the privacy of user data stored within the Mahara platform.

Remediation

Immediate Action: Update Mahara to version 24.04.1 or 23.04.6, depending on the current branch in use.

Proactive Monitoring: Review administrative access logs for unusual patterns or queries regarding submission data that fall outside standard operational workflows.

Compensating Controls: Temporarily restrict administrative permissions for the affected 'Current submission' module until the patch can be applied.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Data privacy is paramount for educational and institutional platforms. Security teams must apply the specified patches to the Mahara environment immediately to prevent unauthorized information disclosure and ensure the integrity of sensitive user submissions.