CVE-2021-40849
moderate-risk
Published 2021-11-03
In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.
Do I need to act?
-
0.43% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 84bc4a5c7030470a811a630b242066df098ec273, d294a69446e795dcbddf4e4929d597968bbdc4ef, 0c3426bf91635a3e33c4cda993af52318e123d9a
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Vendors
References (4)
Vendor Advisory
https://bugs.launchpad.net/mahara/+bug/1930469
Vendor Advisory
https://mahara.org/interaction/forum/topic.php?id=8949
Vendor Advisory
https://bugs.launchpad.net/mahara/+bug/1930469
Vendor Advisory
https://mahara.org/interaction/forum/topic.php?id=8949
43
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
2/34 · Minimal
Exposure
9/34 · Low