Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected: Elasticsearch implementation in Mahara
In Mahara 19.04 before 19.04.4 and 19.10 before 19.10.2, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on.
Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected: Elasticsearch implementation in Mahara
In Mahara 19.04 before 19.04.4 and 19.10 before 19.10.2, account details are shared in the Elasticsearch results for accounts that are not accessible when the config setting 'Isolated institutions' is turned on.
Reference: https:/ /bugs.launchpad .net/mahara/ +bug/1836984
Credit: Robert Lyon (Catalyst IT)
CVE: 2020-9387
(link CVE number to https:/ /cve.mitre. org/cgi- bin/cvename. cgi?name= 2020-9387