Critical Vulnerability Information Vulnerability Title: Skin font upload file can be manipulated to be a path CVE ID: CVE-2022-45133 Affected Versions: - Mahara 21.10 - Mahara 22.04 - Mahara 22.10 - Mahara 23.04 Status: Fix Released Severity: High Fix Milestones: - Mahara 21.10.6 - Mahara 22.04.4 - Mahara 22.10.1 - Mahara 23.04.0 Vulnerability Description When importing a skin, if the font section in the XML markup contains a string with path information, it may lead to potential security issues. For example: An attacker could exploit this vulnerability by placing an executable payload in the section and positioning it within the directory. Solution The system should be hardened by ensuring only the filename portion of strings is used and validating that the filename corresponds to a valid font file type.