CVE-2024-39335
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-09-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mahara | mahara | From 23.04.0 (inc) to 23.04.6 (exc) |
| mahara | mahara | From 24.04.0 (inc) to 24.04.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-39335 is an information disclosure vulnerability in the Mahara ePortfolio System versions before 24.04.1 and 23.04.6. It occurs due to insecure permissions in the SQL query logic that fetches 'Current submissions' on the Administration -> Groups -> Submissions page. Specifically, institution administrators can view submissions of users whose portfolios have been archived, even if they are not the administrators of those users. This happens because of an incorrect order of execution in the SQL command construction, allowing unauthorized access to information. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing institution administrators to access confidential or private submission information of users whose portfolios have been archived, even if they should not have permission to see this data. This unauthorized access can lead to privacy breaches and potential misuse of sensitive user information within the Mahara system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying the version of the Mahara ePortfolio System in use. Specifically, check if the version is prior to 24.04.1 or 23.04.6. There are no specific network or system commands provided to detect the vulnerability directly. To check the version, you can use commands or methods appropriate to your deployment environment, such as querying the application version via the web interface or inspecting the installed package version. No direct commands for detecting the vulnerability via network or system scans are provided. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Mahara ePortfolio System to the fixed versions: 24.04.1, 23.04.6, or 22.10.6. Users should upgrade to the latest minor release of their Mahara series or upgrade to a supported version. These updates fix the insecure permissions issue in the SQL query logic that causes the information disclosure. Applying these updates is the recommended action to prevent unauthorized access to user submissions. [1]