In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, exported CSV files could contain characters that a spreadsheet program could interpret as a command, leading to execution of a malicious string locally on a device, aka CSV injection.
{
"versions": [
{
"introduced": "0"
},
{
"fixed": "20.04.5"
},
{
"introduced": "20.10.0"
},
{
"fixed": "20.10.3"
},
{
"introduced": "21.04.0"
},
{
"fixed": "21.04.2"
}
]
}