CVE-2017-17454

Published: Feb 20, 2018Modified: Nov 21, 2024

5.4

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.

Affected (3)

Products: Mahara: Mahara

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mahara Mahara	From 16.10.0 to 16.10.7
Mahara Mahara	From 17.04.0 to 17.04.5
Mahara Mahara	From 17.10.0 to 17.10.2

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://bugs.launchpad.net/mahara/+bug/1732987

Source: cve@mitre.org

Third Party Advisory

https://mahara.org/interaction/forum/topic.php?id=8149

Source: cve@mitre.org

Vendor Advisory

https://reviews.mahara.org/#/c/8191/

Source: cve@mitre.org

Vendor Advisory

https://bugs.launchpad.net/mahara/+bug/1732987

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://mahara.org/interaction/forum/topic.php?id=8149

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://reviews.mahara.org/#/c/8191/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.