Forums | Mahara Community

Security Announcements /
Security issue relating to XSS <1.9.7, <1.10.5, <15.04.2


Aaron Wells's profile picture
Posts: 896

10 July 2015, 6:19 PM

The title of the portfolio page was not being properly escaped in the AJAX script that updates the “Add/remove watchlist” link on artefact detail pages. An attacker who can create or edit a portfolio page could use this to execute arbitrary Javascript in the browser of a logged-in user.

Category: XSS
Severity: High
Versions affected: <1.9.7, <1.10.5, <15.04.2
Reported by: Yuji Tounai
Bug reports: https://bugs.launchpad.net/mahara/+bug/1472439
CVE reference: 2017-1000146

Edits to this post:
1 result