CVE-2023-47799

EUVD-2023-51894
Mahara before 22.10.4 and 23.x before 23.04.4 allows information disclosure if the experimental HTML bulk export is used via the administration interface or via the CLI, and the resulting export files are given to the account holders. They may contain images of other account holders because the cache is not cleared after the files of one account are exported.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Affected Products (NVD)
VendorProductVersion
maharamahara
𝑥
< 22.10.4
maharamahara
23.04.0 ≤
𝑥
< 23.04.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://git.mahara.org/catalyst-security/mahara-security/-/issues/2
https://mahara.org/interaction/forum/topic.php?id=9353