Headline
CVE-2022-24111: Bug #1959146 “Private group, site, or institution portfolios can...” : Bugs : Mahara
In Mahara 21.04 before 21.04.3 and 21.10 before 21.10.1, portfolios created in groups that have not been shared with non-group members and portfolios created on the site and institution levels can be viewed without requiring a login if the URL to these portfolios is known.
Portfolios should only be available to the selected people or groups of people who have been given access. This is the case for personal portfolios. However, a change introduced in Mahara 21.04 invalidated the permissions check for group, institution, and site portfolios.
To replicate:
Group:
1. Create a private group with the setting ‘Publicly viewable group’ set to 'No’.
2. Create a page within the group and copy the URL when the page is in ‘Display’ mode.
3. Open a private browser window and go to the copied URL.
Results:
- Expected: The site redirects to the login page.
- Actual: The private group page can be seen without logging in.
Institution:
1. Create an institution.
2. Create an institution page and do not share it with anybody.
3. Open a private browser window and go to the copied URL.
Results:
- Expected: The site redirects to the login page.
- Actual: The institution page can be seen without logging in.
Site:
1. Create a site page and do not share it with anybody.
2. Open a private browser window and go to the copied URL.
Results:
- Expected: The site redirects to the login page.
- Actual: The site page can be seen without logging in.