CVE-2017-1000146
03.11.2017, 18:29
Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to the arbitrary execution of Javascript in the browser of a logged-in user because the title of the portfolio page was not being properly escaped in the AJAX script that updates the Add/remove watchlist link on artefact detail pages.
| Vendor | Product | Version |
|---|---|---|
| mahara | mahara | 1.9:rc1 |
| mahara | mahara | 1.9.0 |
| mahara | mahara | 1.9.1 |
| mahara | mahara | 1.9.2 |
| mahara | mahara | 1.9.3 |
| mahara | mahara | 1.9.4 |
| mahara | mahara | 1.9.5 |
| mahara | mahara | 1.9.6 |
| mahara | mahara | 1.10:rc1 |
| mahara | mahara | 1.10.0 |
| mahara | mahara | 1.10.1 |
| mahara | mahara | 1.10.2 |
| mahara | mahara | 1.10.3 |
| mahara | mahara | 1.10.4 |
| mahara | mahara | 15.04:rc1 |
| mahara | mahara | 15.04:rc2 |
| mahara | mahara | 15.04.0 |
| mahara | mahara | 15.04.1 |
𝑥
= Vulnerable software versions