CVE-2012-2239

EUVD-2012-2232
Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
Affected Products (NVD)
VendorProductVersion
maharamahara
1.4.0 ≤
𝑥
< 1.4.4
maharamahara
1.5.0 ≤
𝑥
< 1.5.3
debiandebian_linux
6.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mahara
hardy
dne
lucid
ignored
oneiric
ignored
precise
ignored
quantal
ignored
raring
not-affected
saucy
not-affected
trusty
dne
utopic
dne
vivid
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
Common Weakness Enumeration
References
http://www.debian.org/security/2012/dsa-2591
https://bugs.launchpad.net/mahara/+bug/1047111
https://mahara.org/interaction/forum/topic.php?id=4869
http://www.debian.org/security/2012/dsa-2591
https://bugs.launchpad.net/mahara/+bug/1047111
https://mahara.org/interaction/forum/topic.php?id=4869