CVE-2021-29349

Severity CVSS v4.0:
Pending analysis
Type:
CWE-352 Cross-Site Request Forgery (CSRF)
Publication date:
31/03/2021
Last modified:
07/04/2021

Description

Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieform_delete_all_notifications request, which leads to removing all messages from a mailbox.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:mahara:mahara:20.10:*:*:*:*:*:*:*


References to Advisories, Solutions, and Tools