Launchpad.net

CVE 2017-17454

Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.

Related bugs and status

CVE-2017-17454 (Candidate) is related to these bugs:

Bug #1732987: Fix user input from direct get post usage

		In	Importance	Status
1732987	Fix user input from direct get post usage	Mahara	High	Fix Released
1732987	Fix user input from direct get post usage	Mahara 18.04	High	Fix Released
1732987	Fix user input from direct get post usage	Mahara 16.10	High	Fix Released
1732987	Fix user input from direct get post usage	Mahara 17.10	High	Fix Released
1732987	Fix user input from direct get post usage	Mahara 17.04	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2017-17454

Related bugs and status

Related bugs

References