First published: Tue Feb 20 2018(Updated: )
Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mahara Mahara | >=16.10.0<16.10.7 | |
Mahara Mahara | >=17.04.0<17.04.5 | |
Mahara Mahara | >=17.10.0<17.10.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Mahara issue is CVE-2017-17454.
The severity of CVE-2017-17454 is medium with a CVSS score of 5.4.
CVE-2017-17454 affects Mahara versions 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17.10.2.
CVE-2017-17454 allows an attacker to perform Cross-Site Scripting (XSS) attacks by entering invalid UTF-8 characters.
To fix CVE-2017-17454, update your Mahara installation to version 16.10.7, 17.04.5, or 17.10.2.