Forums | Mahara Community

Security Announcements /
Security issue relating to Cross Site Scripting (XSS) <17.10.8; <18.04.4: <18.10.1


This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 749

30 April 2019, 19:26

Message for the forum announcement:

Cross site scription of collection title on SmartEvidence overview page

Severity: High
Vulnerability type: XSS

An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection's SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user.

Reported by: Kirtikumar Anandrao Ramchandani
Bug report: https://bugs.launchpad.net/mahara/+bug/1819547
CVE reference: CVE-2019-9709

Edits to this post:

1 result