Mahara Unsafe Deserialization Vulnerability in Skin Import Allowing Code Execution

A vulnerability exists in Mahara versions 21.10 prior to 21.10.6, 22.04 prior to 22.04.4, and 22.10 prior to 22.10.1, where user input is deserialized unsafely during skin import. This flaw allows for code execution if a specially crafted XML file is processed.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server.

Remediation

Users are advised to update to Mahara 21.10.6, 22.04.4, or 22.10.1. Mahara releases are available through a subscription, and extended security support can be purchased for unsupported versions.