Forums | Mahara Community

Security Announcements /
XSS exploit in 'External media' block in Mahara before 20.10.5, 21.04.4, and 21.10.2


This topic is closed. Only moderators and the group administrators can post new replies.
Robert Lyon's profile picture
Posts: 776

27 April 2022, 13:21

Vulnerability type: Cross-site scripting (XSS) / stored XSS
Attack type: Remote
Impact: Code execution

Affected components: The 'External media' block and anywhere you can enter HTML code, such as a text block, notes, journal entry, and forum post.

Suggested description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 are vulnerable to stored cross-site scripting when a particular CSS class for embedly is used and JavaScript code constructed to perform an action.

Reported by: Can't disclose
Bug report: https://bugs.launchpad.net/mahara/+bug/1968920
CVE reference: 2022-29584

1 result