XSS Vulnerability adding pages into a collection

Bug #1377736 reported by Son Nguyen on 2014-10-05
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Son Nguyen
1.10
High
Son Nguyen
15.04
High
Unassigned

Bug Description

Version: master (1.10)
Platform, browser: any

Steps to reproduce:

1. Create a page with the title "<script>alert(1);</script>" without the quote
2. Create a collection
3. Add the page into the collection by dragging it.

You will the the alert pop-up window.

CVE References

Son Nguyen (ngson2000) wrote :

This issue also happens when drag/drop a page into an empty collection

Robert Lyon (robertl-9) on 2014-10-05
Changed in mahara:
milestone: none → 1.10.0
status: New → Fix Committed
Son Nguyen (ngson2000) on 2014-10-06
Changed in mahara:
assignee: nobody → Son Nguyen (ngson2000)
Robert Lyon (robertl-9) on 2014-10-06
Changed in mahara:
importance: Undecided → High
Aaron Wells (u-aaronw) on 2014-10-21
tags: added: regression
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers