CVE-2023-47799

Mahara before 22.10.4 and 23.x before 23.04.4 allows information disclosure if the experimental HTML bulk export is used via the administration interface or via the CLI, and the resulting export files are given to the account holders. They may contain images of other account holders because the cache is not cleared after the files of one account are exported.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://git.mahara.org/catalyst-security/mahara-security/-/issues/2	Broken Link
https://mahara.org/interaction/forum/topic.php?id=9353	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mahara:mahara::::::::
	cpe:2.3:a:mahara:mahara::::::::

History

No history.

Information

Published : 2025-08-25 14:15

Updated : 2025-09-05 17:05

NVD link : CVE-2023-47799

Mitre link : CVE-2023-47799

CVE.ORG link : CVE-2023-47799

JSON object : View

Products Affected

mahara

mahara

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-47799", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-08-25T14:15:28.907", "references": [{"url": "https://git.mahara.org/catalyst-security/mahara-security/-/issues/2", "tags": ["Broken Link"], "source": "[email protected]"}, {"url": "https://mahara.org/interaction/forum/topic.php?id=9353", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Mahara before 22.10.4 and 23.x before 23.04.4 allows information disclosure if the experimental HTML bulk export is used via the administration interface or via the CLI, and the resulting export files are given to the account holders. They may contain images of other account holders because the cache is not cleared after the files of one account are exported."}, {"lang": "es", "value": "Mahara, versiones anteriores a la 22.10.4 y 23.x, versiones anteriores a la 23.04.4, permite la divulgaci\u00f3n de informaci\u00f3n si se utiliza la exportaci\u00f3n masiva de HTML experimental a trav\u00e9s de la interfaz de administraci\u00f3n o la CLI, y los archivos de exportaci\u00f3n resultantes se entregan a los titulares de las cuentas. Estos pueden contener im\u00e1genes de otros titulares de cuentas, ya que la cach\u00e9 no se borra despu\u00e9s de exportar los archivos de una cuenta."}], "lastModified": "2025-09-05T17:05:01.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F19292E-305C-4E12-908F-32C85D0C0798", "versionEndExcluding": "22.10.4"}, {"criteria": "cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46968006-FCDF-4E06-87D5-9A1C749ED35D", "versionEndExcluding": "23.04.4", "versionStartIncluding": "23.04.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}