First published: Wed Mar 31 2021(Updated: )
Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mahara Mahara | =20.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-29349 is a Cross Site Request Forgery (CSRF) vulnerability in Mahara 20.10 that allows a remote attacker to remove inbox-mail on the server.
CVE-2021-29349 affects Mahara 20.10 by failing to validate the CSRF token for a POST request, allowing an attacker to craft requests to remove inbox-mail on the server.
The severity of CVE-2021-29349 is medium with a CVSS score of 6.5.
To fix CVE-2021-29349 in Mahara 20.10, ensure that CSRF tokens are properly validated for all POST requests in the application.
More information about CVE-2021-29349 can be found at the following link: [CVE-2021-29349](https://github.com/0xBaz/CVE-2021-29349/issues/1).