Stored cross site scripting in all "tags" input
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
20.04 |
Fix Released
|
High
|
Unassigned | ||
20.10 |
Fix Released
|
High
|
Unassigned | ||
21.04 |
Fix Released
|
High
|
Unassigned |
Bug Description
Hello again! In many places in Mahara it's possible to set "tags" for specific objects. In each case the input field used to edit tags is vulnerable to XSS. The attack pattern is to set the payload in a place where it's likely someone else will come and edit later on. Group pages seem like a good target as they seem likely to be edited as part as someone's normal workflow.
1. Visit http://
2. Go to the "Pages and Collection" page in the group, click "+ Add" and select "Page" in the pop up selection
3. Write "<script>
4. Save the page
5. Invite another user to your group to be your victim by going to the Members tab and clicking the "send multiple invitations at once" link
Now if the invited user edits that page's settings the XSS will fire.
There are other "tags" input through the application where a similar attack scenario would work.
Suggested CVSS: AV:N/AC:
I'm taking a guess here with the A:H/I:H and I didn't push too hard to figure out the maximum impact, but the XSS should allow the attack to read and modify any private data that belongs to the victim.
Let me know if you need anything else!
Dominic
CVE References
no longer affects: | mahara/21.10 |
information type: | Private Security → Public Security |
I'm not sure if adding the Mahara Security team as subscribers after the creation of the ticket was enough to get you folks notified so here's another message to generate a notification :)