CVE-2024-39335
📋 TL;DR
This vulnerability allows institution administrators in Mahara to view sensitive information on the 'Current submissions' page that they should not have access to. It affects Mahara versions 24.04 before 24.04.1 and 23.04 before 23.04.6. The issue occurs under specific conditions when administrators access group submissions.
💻 Affected Systems
- Mahara
📦 What is this software?
Mahara by Mahara
Mahara by Mahara
⚠️ Risk & Real-World Impact
Worst Case
Institution administrators could access confidential student submissions, assessment data, or other sensitive educational information that violates privacy policies and regulations.
Likely Case
Administrators inadvertently or intentionally viewing submissions they shouldn't have access to, potentially exposing student work, grades, or personal information.
If Mitigated
Limited exposure if proper access controls and monitoring are in place, with only authorized administrators having legitimate reasons to access the submissions page.
🎯 Exploit Status
Requires institution administrator privileges and access to the specific administration page path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.04.1 or 23.04.6
Vendor Advisory: https://mahara.org/interaction/forum/topic.php?id=9519
Restart Required: No
Instructions:
1. Backup your Mahara installation and database
2. Download the patched version from mahara.org
3. Replace affected files with patched versions
4. Clear caches if applicable
5. Verify the fix by checking version and testing access controls
🔧 Temporary Workarounds
Restrict administrator access
allTemporarily limit institution administrator access to the submissions page or disable the functionality
🧯 If You Can't Patch
- Implement strict access logging and monitoring for all administrator actions on submissions pages
- Review and reduce institution administrator privileges to minimum necessary levels
🔍 How to Verify
Check if Vulnerable:
Check Mahara version in administration panel or config.php file. If version is 24.04 (but not 24.04.1) or 23.04 (but not 23.04.6), you are vulnerable.Check Version:
Check config.php for $version or view version in Mahara administration interfaceVerify Fix Applied:
After patching, verify version shows 24.04.1 or 23.04.6. Test that institution administrators cannot access unauthorized submissions.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator access patterns to submissions pages
- Multiple failed access attempts to restricted submissions
Network Indicators:
- HTTP requests to administration paths with submissions parameters
SIEM Query:
source="mahara_logs" AND (path="*submissions*" OR action="view_submission") AND user_role="institution_admin"