Mahara

Overview
Code
Bugs
Blueprints
Translations
Answers

Series 21.04
Bug #1968920
Comment #2

Comment 2 for bug 1968920

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2022-04-22 (last edit on 2022-04-26):

Vulnerability type: Cross-site scripting (XSS) / stored XSS
Attack type: Remote
Impact: Code execution

Affected components: The 'External media' block and anywhere you can enter HTML code, such as a text block, notes, journal entry, and forum post.

Suggested description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 are vulnerable to stored cross-site scripting when a particular CSS class for embedly is used and JavaScript code constructed to perform an action.

Reported by: Can't disclose
Bug report: https://bugs.launchpad.net/mahara/+bug/1968920
CVE reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29584