Forums | Mahara Community
Security Announcements
/
Security issue relating to XSS and saving of display name <15.04.15, <16.04.9, <16.10.6, <17.04.4
This topic is closed. Only moderators and the group administrators can post new replies.
30 October 2017, 14:35
Don't allow saving of firstname, lastname, and preferredname that contain HTML tags
Vuln type: XSS
Impact: Code execution
Suggested description:
Mahara 15.04 before 15.04.15 and 16.04 before 16.04.9 and 16.10 before 16.10.6 and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as their first name, last name or display name in the profile fields that can cause issues such as escalation of privileges or unknown execution of malicious code when replying to messages in Mahara.
Reported by: chbi and Robert Lyon
Bug report: https://bugs.launchpad.net/bugs/1719491
CVE: CVE-2017-14752
1 result