{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-59308", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-24T16:12:42.266Z", "dateReserved": "2025-09-12T00:00:00.000Z", "datePublished": "2026-04-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T14:55:21.873Z"}, "descriptions": [{"lang": "en", "value": "In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution for which they are not an administrator, if they also have the 'Site staff' role."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://mahara.org"}, {"url": "https://mahara.org/interaction/forum/topic.php?id=9851"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T16:12:38.136259Z", "id": "CVE-2025-59308", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T16:12:42.266Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-59308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T16:12:38.136259Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T16:11:16.604Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://mahara.org"}, {"url": "https://mahara.org/interaction/forum/topic.php?id=9851"}], "descriptions": [{"lang": "en", "value": "In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution for which they are not an administrator, if they also have the 'Site staff' role."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-24T14:55:21.873Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59308", "state": "PUBLISHED", "dateUpdated": "2026-04-24T16:12:42.266Z", "dateReserved": "2025-09-12T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-24T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Mahara before 24.04.10 and 25 before 25.04.1, an institution administrator or institution support administrator on a multi-tenanted site can masquerade as an institution member in an institution for which they are not an administrator, if they also have the 'Site staff' role."}], "id": "CVE-2025-59308", "lastModified": "2026-04-24T17:54:36.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-24T16:16:23.610", "references": [{"source": "cve@mitre.org", "url": "https://mahara.org"}, {"source": "cve@mitre.org", "url": "https://mahara.org/interaction/forum/topic.php?id=9851"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,24.04.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,25.04.1)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "mahara", "vendor": "mahara"}], "analysis": {"en": {"generated_at": "2026-04-28T07:11:28.467815+00:00", "value": {"mitigation_remediation": ["Upgrade Mahara to at least 24.04.10 or 25.04.1 to eliminate the role\u2011mixing issue.", "Restrict the Site staff role, removing the ability to alter organisation\u2011level permissions and apply least\u2011privilege principles.", "Audit current user roles and re\u2011assign any users with both administrator and Site staff privileges who do not need such overlap.", "Enable detailed logging for role changes and inter\u2011institution access, and review logs regularly for anomalous activity."], "summary": {"action": "Apply patch", "impact": "Unauthorized impersonation of institution members"}, "threat_synthesis": {"affected_systems": "The flaw exists in Mahara releases before 24.04.10 and before 25.04.1. Any deployment using those releases on a multi\u2011tenant configuration with Site staff responsibilities is vulnerable. The affected vendors/products list is not available, but the issue targets the Mahara open\u2011source e\u2011learning platform.\n", "description_and_impact": "The vulnerability allows institution administrators or support administrators who also have the Site staff role on a multi\u2011tenant Mahara site to impersonate users in institutions for which they are not administrators. This enables a privileged user to masquerade as an ordinary member, bypassing ownership boundaries and potentially accessing personal data or executing actions as that member, leading to data leakage or tampering.\n\nThe flaw is an access\u2011control oversight (CWE\u2011284) that permits a user with overlapping roles to exercise permissions beyond their intended scope.\n\nWhile the CVSS score of 4.7 indicates a medium severity, the exploitation requires prior possession of Site staff privileges, limiting the attack surface.\n", "risk_and_exploitability": "The EPSS score is below 1\u202f%, suggesting a low likelihood of exploitation in the near term, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation necessitates that the attacker already possess Site staff privileges, which could be obtained through social engineering or compromised accounts. Once in place, the attacker can locally impersonate a member of another institution by accessing the institution member interface. Given the moderate CVSS score and limited scope, the risk is moderate but warrants remediation.\n"}}}}, "created": "2026-04-27T19:15:11.634115+00:00", "title": "Privilege Escalation via Masquerading in Multi\u2011Tenant Mahara", "updated": "2026-04-28T07:15:19.379192+00:00", "vendors": ["mahara", "mahara$PRODUCT$mahara"]}