Description
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.3 and 1.5.x before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) javascript innerHTML as used when generating login forms, (2) links or (3) resources URLs, and (4) the Display name in a user profile.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by anonymous · textwebappsphp
https://www.exploit-db.com/exploits/37565
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/mahara/+bug/1009774
Exploit, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/mahara/+bug/1009777
Exploit, Patch, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/mahara/+bug/1009784
Patch, Vendor Advisory x_refsource_misc
https://mahara.org/interaction/forum/topic.php?id=4748
Third Party Advisory x_refsource_misc
http://www.debian.org/security/2012/dsa-2540
Scores
CVSS v3
6.1
EPSS
0.0563
EPSS Percentile
90.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
debian/debian_linux
6.0
mahara/mahara
1.4.0 - 1.4.3
Published
Dec 17, 2019
Tracked Since
Feb 18, 2026