CVE-2022-42707 Mahara 21.04, 21.10, 22.04, and 22.10 has embedded images accessible without a sufficient permission check if certain conditions are met.
This behaviour might lead to a potential security risk if your site is used by people who do not have the correct permissions. For example, a blog post where images are embedded might be read by someone who has no access to the content. This might lead to a security issue. For example, this behaviour might be used in conjunction with a plugin that generates revenue by showing advertisements on your site. If an attacker can control the ad server and embed an image on your site with an ad plugin, he can steal revenue from the plugin and your site owner. This issue has been fixed in this release. Update your sites immediately.
What is the problem?
As of this release, a user can embed images in the blog post content when using the Blog Post feature.
The problem is that by default the user has the permissions to view and edit blog post content. If you allow someone who does not have permissions on your site to embed an image, they will be able to inject malicious JavaScript into your website without you knowing it. This could lead to a potential security risk if people with access to your blog posts are not restricted in their permissions.
What is the Cross Site Proxy (XSRF) Header?
The cross site proxy header (XSRF) is a header added to HTTP requests that allows websites to detect if their pages were accessed by malicious third parties. This header does not allow for malicious content to be posted on the intended website and also protects against some types of attacks.
If your website has an XSRF header, it's important that you update your website immediately.
Timeline
Published on: 11/06/2022 17:15:00 UTC
Last modified on: 11/08/2022 16:02:00 UTC