Mahara before 1.4.1, when MNet (aka the Moodle network feature) is used, allows remote authenticated users to gain privileges via a jump to an XMLRPC target.
https://launchpad.net/mahara/+milestone/1.4.1
https://bugs.launchpad.net/mahara/+bug/884223
http://www.debian.org/security/2011/dsa-2334
http://secunia.com/advisories/46719
http://openwall.com/lists/oss-security/2011/11/04/7