CVE-2020-9386

EUVD-2020-30207
In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to that artefact anymore.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
maharamahara
18.10.0 ≤
𝑥
< 18.10.5
maharamahara
19.04.0 ≤
𝑥
< 19.04.4
maharamahara
19.10.0 ≤
𝑥
< 19.10.2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mahara
bionic
dne
eoan
dne
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://bugs.launchpad.net/mahara/+bug/1840201
https://mahara.org/interaction/forum/topic.php?id=8589
https://bugs.launchpad.net/mahara/+bug/1840201
https://mahara.org/interaction/forum/topic.php?id=8589