DSA-2030-1 mahara -- sql injectionID: oval:org.secpod.oval:def:600156 | Date: (C)2011-01-28 (M)2022-10-10 |
Class: PATCH | Family: unix |
It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara database via crafted user names. For the stable distribution , this problem has been fixed in version 1.0.4-4+lenny5. For the testing distribution , this problem will be fixed soon. For the unstable distribution , this problem has been fixed in version 1.2.4-1. We recommend that you upgrade your mahara packages.