Mahara Community

Forums | Mahara Community

Security Announcements /
Security issues relating to XSS <1.7.8, <1.8.5, <1.9.3

This topic is closed. Only moderators and the group administrators can post new replies.
Aaron Wells's profile picture
Aaron Wells
Posts: 896

22 October 2014, 16:18

Institution display names were not always properly escaped, allowing for XSS by institution admins.

Category: Cross-site scripting
Severity: Medium
Versions Affected: <1.78, <1.8.5, <1.9.3
Reported by: Yuliya Bozhko
Bug report: https://bugs.launchpad.net/mahara/+bug/1381868
CVE reference: CVE-2014-8698

Skin descriptions were not properly escaped, allowing for XSS in sites that use page skins (a feature added in Mahara 1.8).

Category: Cross-site scripting
Severity: High
Versions Affected: <1.8.5, <1.9.3
Reported by: Son Nguyen
Bug report: https://bugs.launchpad.net/mahara/+bug/1373170
CVE reference: CVE-2014-8699

We strongly recommend that Mahara administrators in multi-institution sites, and/or sites that have page skins enabled, upgrade to the latest Mahara version: 1.7.8, 1.8.5, 1.9.3, or 1.10.0

Download links for fixed versions:

[Update by Kristina to add CVE references]

Edits to this post:

1 result