CVE-2019-9709

An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection's SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
maharamahara
17.10.0 ≤
𝑥
< 17.10.8
maharamahara
18.04.0 ≤
𝑥
< 18.04.4
maharamahara
18.10.0 ≤
𝑥
< 18.10.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mahara
focal
dne
eoan
dne
bionic
dne
xenial
dne
trusty
dne
precise
ignored
Common Weakness Enumeration
References
https://bugs.launchpad.net/bugs/1819547
https://mahara.org/interaction/forum/topic.php?id=8446
https://bugs.launchpad.net/bugs/1819547
https://mahara.org/interaction/forum/topic.php?id=8446