CVE-2017-1000144

Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04.1 are vulnerable to a site admin or institution admin being able to place HTML and Javascript into an institution display name, which will be displayed to other users unescaped on some Mahara system pages.

Published: Nov 3, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-1000144
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.8
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
mahara / mahara	1.9.1	1.9.1.x
mahara / mahara	1.9.2	1.9.2.x
mahara / mahara	1.9.3	1.9.3.x
mahara / mahara	1.9.0	1.9.0.x
mahara / mahara	1.9-rc1	1.9-rc1.x
mahara / mahara	1.9.4	1.9.4.x
mahara / mahara	1.9.5	1.9.5.x
mahara / mahara	1.10.0	1.10.0.x
mahara / mahara	1.10-rc1	1.10-rc1.x
mahara / mahara	1.10.1	1.10.1.x
mahara / mahara	1.10.2	1.10.2.x
mahara / mahara	1.10.3	1.10.3.x
mahara / mahara	15.04-rc1	15.04-rc1.x
mahara / mahara	15.04-rc2	15.04-rc2.x
mahara / mahara	15.04.0	15.04.0.x

https://bugs.launchpad.net/mahara/+bug/1447377

Vulnerability Database

CVE-2017-1000144

Deep Security Visibility Without the Complexity