Critical Vulnerability Information 1. Cross Site Scripting (XSS) Attack Type: Remote Impact: Code Execution Affected Versions: Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 Description: XML files with specific structures, when processed, may lead to code execution. Reporter: Marlon Starkloff CVE Reference: CVE-2022-45134 2. Directory Traversal Attack Type: Remote Impact: Incorrect Access Control / Code Execution Affected Versions: Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 Description: XML files with specific structures allow traversal of the server to access secure files or execute code based on payloads. Reporter: Marlon Starkloff CVE Reference: CVE-2022-45133 3. Information Disclosure Attack Type: Local Impact: Information Disclosure Affected Versions: Mahara before 22.10.4 and 23.x before 23.04.4 Description: If experimental HTML bulk export is used via the admin interface or CLI, images belonging to other account holders may be disclosed, as the cache is not cleared after exporting a user’s files. Reporter: Francis Devine (Catalyst IT) CVE Reference: CVE-2023-47799 Recommendations Update Mahara instances to the latest minor version. Upgrade outdated and unsupported versions to supported versions. Extended security support is available through subscription.