Cross site Scripting(XSS) Vulnerability in Mahara 1.6

Bug #1091764 reported by M.R.Vignesh Kumar
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Aaron Wells
Fix Released
Aaron Wells

Bug Description

Hi Mahara Security Team,

I have found a Persistent/Stored Cross site scripting (XSS) vulnerability in Mahara version 1.6.

What is Cross site scripting(XSS):

The vulnerability exists in the following link:

For example, in a note such as , the "Note Title" is thrown with a xss vector such as "><img src=x onerror=prompt(1);> or <script>alert(/xss/);</script>.

When the notes page( ) is loaded, the payload on the title triggers the xss since it is not sanitized.

Fix it as soon as possible.

M.R.Vignesh Kumar(@vigneshkumarmr)

Tags: xss
Revision history for this message
M.R.Vignesh Kumar (mrkumarvignesh) wrote :
description: updated
Melissa Draper (melissa)
Changed in mahara:
milestone: none → 1.5.8
Melissa Draper (melissa)
Changed in mahara:
status: New → Fix Released
importance: Undecided → High
assignee: nobody → Aaron Wells (u-aaronw)
information type: Private Security → Public Security
Melissa Draper (melissa)
no longer affects: mahara/1.7
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments