{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "21.10.0-rc1" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "21.10.0-rc2" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "20.04.5" }, { "introduced": "20.10.0" }, { "fixed": "20.10.3" }, { "introduced": "21.04.0" }, { "fixed": "21.04.2" } ] }, "events": [ { "introduced": "0" }, { "fixed": "84bc4a5c7030470a811a630b242066df098ec273" }, { "introduced": "baa466e351a72541cd7a28d6eb982a1fbc7a428c" }, { "fixed": "d294a69446e795dcbddf4e4929d597968bbdc4ef" }, { "introduced": "359597b32c7afe52339422a91f14256e17b33dfc" }, { "fixed": "0c3426bf91635a3e33c4cda993af52318e123d9a" } ], "repo": "https://github.com/maharaproject/mahara", "type": "GIT" } ] } ], "details": "In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.", "id": "CVE-2021-40849", "modified": "2026-03-13T21:52:06.655302676Z", "published": "2021-11-03T11:15:08.310Z", "references": [ { "type": "ADVISORY", "url": "https://bugs.launchpad.net/mahara/+bug/1930469" }, { "type": "ADVISORY", "url": "https://mahara.org/interaction/forum/topic.php?id=8949" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }