Forums | Mahara Community

Security Announcements /
Security issue relating to cross-site scripting <15.04.15; <16.04.9; <16.10.6; <17.04.4


This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 346

30 October 2017, 2:27 PM

User's displayed title is not escaped for internal artefacts

Vuln type: CSS
Impact: Code execution

Suggested description:

Mahara 15.04 before 15.04.15 and 16.04 before 16.04.9 and 16.10 before 16.10.6 and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as titles in internal artefacts.

Reported by: chbi
Bug reports:
https://bugs.launchpad.net/mahara/+bug/1720034
https://bugs.launchpad.net/mahara/+bug/1719472
https://bugs.launchpad.net/mahara/+bug/1719480

CVE: CVE-2017-15273

1 result