Forums | Mahara Community

Security Announcements /
Security issue relating to XSS and saving of display name <15.04.15, <16.04.9, <16.10.6, <17.04.4


This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 346

30 October 2017, 2:35 PM

Don't allow saving of firstname, lastname, and preferredname that contain HTML tags

Vuln type: XSS
Impact: Code execution

Suggested description:

Mahara 15.04 before 15.04.15 and 16.04 before 16.04.9 and 16.10 before 16.10.6 and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as their first name, last name or display name in the profile fields that can cause issues such as escalation of privileges or unknown execution of malicious code when replying to messages in Mahara.

Reported by: chbi and Robert Lyon
Bug report: https://bugs.launchpad.net/bugs/1719491

CVE: CVE-2017-14752

1 result