CVE-2022-45133

Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 allows unsafe font upload for skins. A particularly structured XML file could allow one to traverse the server to obtain access to secure files or cause code execution based on the payload.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
mitreCNA
---
---
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
VendorProductVersion
maharamahara
21.10.0 ≤
𝑥
< 21.10.6
maharamahara
22.04.0 ≤
𝑥
< 22.04.4
maharamahara
22.10.0 ≤
𝑥
< 22.10.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bugs.launchpad.net/mahara/+bug/1995819
https://mahara.org/interaction/forum/topic.php?id=9353