CVE-2012-2243

EUVD-2012-2236
Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML by uploading an XML file with the xhtml extension, which is rendered inline as script.  NOTE: this can be leveraged with CVE-2012-2244 to execute arbitrary code without authentication, as demonstrated by modifying the clamav path.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
maharamahara
1.4:rc1
maharamahara
1.4:rc2
maharamahara
1.4:rc3
maharamahara
1.4:rc4
maharamahara
1.4.0
maharamahara
1.4.1
maharamahara
1.4.2
maharamahara
1.4.3
maharamahara
1.4.4
maharamahara
1.5:rc1
maharamahara
1.5:rc2
maharamahara
1.5.0
maharamahara
1.5.1
maharamahara
1.5.2
maharamahara
1.5.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mahara
hardy
dne
lucid
ignored
oneiric
ignored
precise
ignored
quantal
ignored
raring
not-affected
saucy
not-affected
trusty
dne
utopic
dne
vivid
dne
wily
dne
xenial
dne
yakkety
dne
zesty
dne
Common Weakness Enumeration
References
http://www.debian.org/security/2012/dsa-2591
https://bugs.launchpad.net/mahara/+bug/1055232
https://mahara.org/interaction/forum/topic.php?id=4937
http://www.debian.org/security/2012/dsa-2591
https://bugs.launchpad.net/mahara/+bug/1055232
https://mahara.org/interaction/forum/topic.php?id=4937