Forums | Mahara Community

Security Announcements /
External vulnerability in Mahara flowplayer in <1.5.8 and <1.6.3


This topic is closed. Only moderators and the group administrators can post new replies.
Melissa Draper's profile picture
Posts: 197

15 February 2013, 4:58 PM

Cross site scripting vulnerability in external library

Category: Cross-site Scripting
Severity: Critical
Versions affected: < 1.6.3, < 1.5.8
Reported by: Wan Ikram
Identifier: CVE-2011-3642
Bug report: https://bugs.launchpad.net/mahara/+bug/1103748

We were notified of an outstanding vulnerability in the default publication of the flash edition of Flowplayer. Flowplayer's authors have not fixed this vulnerability and only offers the fix of upgrading to their html5 embedded player instead. http://flash.flowplayer.org/forum/8/102773

As these are stable releases, and we do not need the vulnerable features of the media player (Mahara uses it for internal media only,) the Mahara developers made the choice to fork the flowplayer flash project and re-compile with the small changes needed to stop the vulnerability.  It can be found at https://github.com/catalyst/mahara-flashplayer

Upgrading to Mahara 1.5.8 or 1.6.3 is strongly recommended.

Download links for fixed versions:
    https://launchpad.net/mahara/+milestone/1.5.8
    https://launchpad.net/mahara/+milestone/1.6.3

1 result