09 July 2024, 7:16

Kia ora Mahara community,

We have security updates available that fix potential cross-site scripting issues and potential escalation of privileges in Mahara before 24.04.2 and 23.04.7.

Current subscribers can access the code updates and details on the issues that were fixed (see the 'Releases' page):

• 24.04.2
• 23.04.7

CVE-2024-39923

Description: An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person.

Vulnerability Type: Cross Site Scripting (XSS)

Affected Component: Admin controlled pages such as the About page that can be found in the 'Menus' section

Attack Vectors: Rogue administrator can set up path to a custom 'About us' page (or any other in the 'Menus' section that allows for entering a URL) that includes malicious JavaScript code causing anyone who clicks on it to execute that code.

Credit: Boris Lickindorf

The changes are also available on the 'Releases' page as downloadable packages under the heading 'Mahara download files...' in each respective release. If you use the download files, make sure not to download a file called 'source code'. You want to download the files that have the compiled code.

If you use a download package for Mahara 23.04.7, please make sure you select the correct one. There are different files for use on PHP 7.4 and PHP 8.1, and if you use Redis as session handler.

As subscriber, we recommend you update your instance of Mahara to the latest maintenance release of the series of Mahara you are using, or if you are on an unsupported version of Mahara, upgrade to a supported one.

Mahara releases are available via a subscription.

Thank you

The Mahara team at Catalyst