First published: Thu Apr 30 2020(Updated: )
In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mahara Mahara | >=19.04<19.04.5 | |
Mahara Mahara | >=19.10<19.10.3 | |
Mahara Mahara | =20.04-rc1 | |
Mahara Mahara | =20.04-rc2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-9387 is a vulnerability that exists in Mahara versions 19.04 before 19.04.5 and 19.10 before 19.10.3.
CVE-2020-9387 allows account details to be shared in the Elasticsearch results for inaccessible accounts when the 'Isolated institutions' config setting is turned on.
The severity of CVE-2020-9387 is medium with a CVSS score of 4.3.
To fix CVE-2020-9387, upgrade to Mahara versions 19.04.5 or 19.10.3 or later.
More information about CVE-2020-9387 can be found at the following references: [1] [2].