Debian Security Advisory
DSA-2206-1 mahara -- several vulnerabilities
- Date Reported:
- 29 Mar 2011
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-0439, CVE-2011-0440.
- More information:
Two security vulnerabilities have been discovered in Mahara, a fully featured electronic portfolio, weblog, resume builder and social networking system:
A security review commissioned by a Mahara user discovered that Mahara processes unsanitized input which can lead to cross-site scripting (XSS).
Mahara Developers discovered that Mahara doesn't check the session key under certain circumstances which can be exploited as cross-site request forgery (CSRF) and can lead to the deletion of blogs.
For the old stable distribution (lenny) these problems have been fixed in version 1.0.4-4+lenny8.
For the stable distribution (squeeze) these problems have been fixed in version 1.2.6-2+squeeze1.
For the unstable distribution (sid) these problems have been fixed in version 1.2.7.
We recommend that you upgrade your mahara package.