Forums | Mahara Community

Security Announcements /
Cross-site Scripting in Mahara 1.4.0 and 1.3.6


This topic is closed. Only moderators and the group administrators can post new replies.
François Marier's profile picture
Posts: 411

03 November 2011, 17:48

Category: Cross-site Scripting
Severity: High
Versions affected: < 1.3.7, < 1.4.1
Reported by: Teemu Vesala
Identifier: CVE-2011-2771
Bug report: 798136

The externalfeed block did not sanitize certain URLs contained in RSS feeds and this could therefore be used as a cross-site scripting vector.

We strongly recommend that all Mahara administrators upgrade to the latest version if the externalfeed block is enabled on your site.

1 result