First published: Mon Apr 09 2018(Updated: )
Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed by POST packages. Therefore, Mahara should not rely on TinyMCE's code stripping alone but also clean input on the server / PHP side as one can create own packets of POST data containing bad content with which to hit the server.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mahara Mahara | >=16.10<16.10.9 | |
Mahara Mahara | >=17.04<17.04.7 | |
Mahara Mahara | >=17.10<17.10.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2018-6182.
Mahara 16.10 before 16.10.9, 17.04 before 17.04.7, and 17.10 before 17.10.4 are affected.
The severity of CVE-2018-6182 is medium, with a CVSS score of 6.1.
This vulnerability can be exploited by bypassing TinyMCE through malicious POST packages.
To mitigate this vulnerability, Mahara should not rely solely on TinyMCE's code stripping, but also clean input on the server/PHP side.