Stored XSS in user reports access lists, and shared tabs for user/group/institution
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Critical
|
Hugh Davenport | ||
1.10 |
Fix Released
|
Critical
|
Unassigned | ||
1.9 |
Fix Released
|
Critical
|
Unassigned | ||
15.04 |
Fix Released
|
Critical
|
Unassigned | ||
15.10 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This one requires a malicious institution admin, but could still result in privilege escalation to full admin.
Steps to reproduce:
- As admin, create a new institution, and a new user with admin rights in that institution
- Log in as new institution admin, change name of institution to "<script>
- Add some new users to the institution, their profile pages will automatically be shared with the institution
- If full admin runs a user report on that new user now, and views access list, they will see the XSS
- If a user shares a page with this institution, then views "Shared by me", then it will trigger
- If a group shares a page ..., it will trigger
- If a institution shares a page ..., it will trigger (can be a different institution, just have to be in same institution to be able to share with it (or it is searchable?)).
Mainly low risk, as doesn't gain privilege, but the full admin may view access list report of all users legitimately, so that makes it critical as privilege escalation is possible (walled gardens setups where lots of institution admins, and they aren't full admins).
Patch to come.
Cheers,
Hugh
CVE References
Changed in mahara: | |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Patch added