CVE-2021-29349

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-29349

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-29349.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-29349

Published

2021-03-31T23:15:11.827Z

Modified

2025-11-14T11:35:57.781687Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Mahara 20.10 is affected by Cross Site Request Forgery (CSRF) that allows a remote attacker to remove inbox-mail on the server. The application fails to validate the CSRF token for a POST request. An attacker can craft a module/multirecipientnotification/inbox.php pieformdeleteall_notifications request, which leads to removing all messages from a mailbox.

References

https://github.com/0xBaz/CVE-2021-29349/issues/1

Affected packages

Git / github.com/maharaproject/mahara

Affected ranges

Type: GIT
Repo: https://github.com/maharaproject/mahara
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

baa466e351a72541cd7a28d6eb982a1fbc7a428c

Affected versions

1.*

1.0.0ALPHA1_RELEASE

1.0.0ALPHA2_RELEASE

1.0.0BETA1_RELEASE

1.0.0BETA2_RELEASE

1.1.0ALPHA1_RELEASE

1.1.0ALPHA2_RELEASE

1.1.0ALPHA3_RELEASE

1.1.0BETA1_RELEASE

1.1.0BETA2_RELEASE

1.1.0BETA3_RELEASE

1.1.0BETA4_RELEASE

1.2.0ALPHA1_RELEASE

1.2.0ALPHA2_RELEASE

1.2.0ALPHA3_RELEASE

1.2.0BETA1_RELEASE

1.2.0BETA2_RELEASE

1.2.0BETA3_RELEASE

1.2.0BETA4_RELEASE

1.2.0RC1_RELEASE

1.3.0BETA1_RELEASE

1.3.0BETA2_RELEASE

1.3.0BETA3_RELEASE

1.3.0BETA4_RELEASE

1.4.0ALPHA1_RELEASE

1.7RC1_RELEASE

1.8RC1_RELEASE

1.8RC2_RELEASE

20.*

20.10.0_RELEASE

20.10RC1_RELEASE

20.10RC2_RELEASE

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-29349.json"