Launchpad CVE tracker

CVE 2011-1404

Mahara before 1.3.6 does not properly restrict the data in responses to AJAX calls, which allows remote authenticated users to obtain sensitive information via a request associated with (1) blocktype/myfriends/myfriends.json.php, (2) json/usersearch.php, (3) group/membersearchresults.json.php, or (4) json/friendsearch.php, as demonstrated by information about friends and e-mail addresses.

Related bugs and status

CVE-2011-1404 (Candidate) is related to these bugs:

Bug #746182: Overriding start/stop dates not checked

		In	Importance	Status
746182	Overriding start/stop dates not checked	Mahara	High	Fix Released
746182	Overriding start/stop dates not checked	Mahara 1.2	High	Fix Released
746182	Overriding start/stop dates not checked	Mahara 1.3	High	Fix Released
746182	Overriding start/stop dates not checked	Mahara 1.0	High	Won't Fix

Bug #771623: Check edit permissions in tasks.json.php

Summary				In	Importance	Status
	771623	Check edit permissions in tasks.json.php		Mahara	High	Fix Released
	771623	Check edit permissions in tasks.json.php		Mahara 1.3	High	Fix Released

Bug #771637: Check view permissions in viewtasks.json.php

Summary				In	Importance	Status
	771637	Check view permissions in viewtasks.json.php		Mahara	High	Fix Released
	771637	Check view permissions in viewtasks.json.php		Mahara 1.3	High	Fix Released

Bug #771644: Check edit permissions in blog index.json.php

Summary				In	Importance	Status
	771644	Check edit permissions in blog index.json.php		Mahara	High	Fix Released
	771644	Check edit permissions in blog index.json.php		Mahara 1.3	High	Fix Released

Bug #771653: Check view permissions in blog posts.json.php

Summary				In	Importance	Status
	771653	Check view permissions in blog posts.json.php		Mahara	High	Fix Released
	771653	Check view permissions in blog posts.json.php		Mahara 1.3	High	Fix Released

Bug #772140: Information disclosure in my friends pagination script

Summary				In	Importance	Status
	772140	Information disclosure in my friends pagination script		Mahara	High	Fix Released
	772140	Information disclosure in my friends pagination script		Mahara 1.3	High	Fix Released

Bug #772160: Userlist element json script reveals user information

		In	Importance	Status
772160	Userlist element json script reveals user information	Mahara	High	Fix Released
772160	Userlist element json script reveals user information	Mahara 1.2	High	Fix Released
772160	Userlist element json script reveals user information	Mahara 1.3	High	Fix Released

Bug #772174: Group member search json script reveals user information

Summary				In	Importance	Status
	772174	Group member search json script reveals user information		Mahara	High	Fix Released
	772174	Group member search json script reveals user information		Mahara 1.3	High	Fix Released

Bug #772179: Ajax script for friend search pagination reveals user information

		In	Importance	Status
772179	Ajax script for friend search pagination reveals user information	Mahara	High	Fix Released
772179	Ajax script for friend search pagination reveals user information	Mahara 1.2	High	Fix Released
772179	Ajax script for friend search pagination reveals user information	Mahara 1.3	High	Fix Released

Bug #780917: Major security updates for Mahara

		In	Importance	Status
780917	Major security updates for Mahara	mahara (Ubuntu)	Undecided	Fix Released
780917	Major security updates for Mahara	mahara (Ubuntu Lucid)	High	Fix Released
780917	Major security updates for Mahara	mahara (Ubuntu Maverick)	High	Fix Released
780917	Major security updates for Mahara	mahara (Ubuntu Natty)	High	Fix Released
780917	Major security updates for Mahara	mahara (Ubuntu Oneiric)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2011-1404

References