Stored XSS in TinyMCE editor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Hugh Davenport | ||
1.5 |
Fix Released
|
Undecided
|
Unassigned | ||
1.6 |
Fix Released
|
Undecided
|
Unassigned | ||
1.7 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Reported by two independent researchers in different locations.
How to reproduce:
- Go to a page with a TinyMCE editor (such as /artefact/internal/ -> Introduction)
- Click the TinyMCE "HTML" button
- Enter payload of something like "<img src=x onmouseover=
- Save page
- Reload, hover over broken image, notice the alert
The XSS is stored only for the editing part of the TinyMCE editor. I couldn't quickly find any location where
it was not escaped in the view section (which is blocktype dependant, the above example would be the
profileinfo blocktype from artefact/internal).
The fix is to escape the value sent to tinymce in lib/form/
The other location reported was in a new page, the "Page description" input. The same patch fixes this.
CVE References
Changed in mahara: | |
status: | Confirmed → In Progress |
Changed in mahara: | |
status: | In Progress → Fix Committed |
milestone: | none → 1.6.4 |
milestone: | 1.6.4 → none |
milestone: | none → 1.7.0 |
milestone: | 1.7.0 → none |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
https:/ /reviews. mahara. org/2044