CVE-2017-17454

20.02.2018, 22:29

Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 56%

Vendor	Product	Version
mahara	mahara	16.10.0 ≤ 𝑥 < 16.10.7
mahara	mahara	17.04.0 ≤ 𝑥 < 17.04.5
mahara	mahara	17.10.0 ≤ 𝑥 < 17.10.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://bugs.launchpad.net/mahara/+bug/1732987

https://mahara.org/interaction/forum/topic.php?id=8149

https://reviews.mahara.org/#/c/8191/

https://bugs.launchpad.net/mahara/+bug/1732987

https://mahara.org/interaction/forum/topic.php?id=8149

https://reviews.mahara.org/#/c/8191/