CRITICAL🇵🇱 Wersja polska

CVE-2022-45134

CVSS 9.8v3.1pub. 2025-08-22upd. 2025-09-08

Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 deserializes user input unsafely during skin import. A particularly structured XML file could cause code execution when being processed.

🤖 AI Analysis
How it works

The vulnerability (CWE-502) consists of the fact that when processing an imported XML file with a skin, the application deserializes its contents without proper validation or sanitization. An attacker can upload a specially crafted XML file, whose processing by the deserialization mechanism results in the execution of arbitrary code on the server side.

Impact

An attacker can gain full control over the server through remote code execution (RCE), threatening the confidentiality, integrity, and availability of the entire system.

Mitigation & patch

Mahara should be updated to version 21.10.6 or later (for the 21.10 branch), 22.04.4 or later (for the 22.04 branch), or 22.10.1 or later (for the 22.10 branch). Details available in the vendor references: https://mahara.org/interaction/forum/topic.php?id=9353

Who is affected

Mahara in versions: 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mahara

    APP
    Mahara
    21.10.0 – 21.10.6 (bez)22.04.0 – 22.04.4 (bez)22.10.0 – 22.10.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2024-39335CRITICAL9.1PL ✓ten sam produkt

Mahara: Ujawnienie informacji administratorowi instytucji przez stronę 'Current submissions'

CVE-2022-44544CRITICAL9.8ten sam produkt

Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 potentially ...

CVE-2021-40849CRITICAL9.8ten sam produkt

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is v...

CVE-2017-1000154CRITICAL9.8ten sam produkt

Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to some authentic...

CVE-2017-1000153CRITICAL9.8ten sam produkt

Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect acc...