CVE-2020-9387

EUVD-2020-30208
In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
Affected Products (NVD)
VendorProductVersion
maharamahara
19.04 ≤
𝑥
< 19.04.5
maharamahara
19.10 ≤
𝑥
< 19.10.3
maharamahara
20.04:rc1
maharamahara
20.04:rc2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mahara
bionic
dne
eoan
dne
focal
dne
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://bugs.launchpad.net/mahara/+bug/1836984
https://mahara.org/interaction/forum/topic.php?id=8612
https://bugs.launchpad.net/mahara/+bug/1836984
https://mahara.org/interaction/forum/topic.php?id=8612