CVE-2017-14752

Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as their first name, last name, or display name in the profile fields that can cause issues such as escalation of privileges or unknown execution of malicious code when replying to messages in Mahara.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://bugs.launchpad.net/mahara/+bug/1719491	Issue Tracking Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mahara:mahara:15.04:rc1::::::
	cpe:2.3:a:mahara:mahara:15.04:rc2::::::
	cpe:2.3:a:mahara:mahara:15.04.0:::::::*
	cpe:2.3:a:mahara:mahara:15.04.1:::::::*
	cpe:2.3:a:mahara:mahara:15.04.2:::::::*
	cpe:2.3:a:mahara:mahara:15.04.3:::::::*
	cpe:2.3:a:mahara:mahara:15.04.4:::::::*
	cpe:2.3:a:mahara:mahara:15.04.5:::::::*
	cpe:2.3:a:mahara:mahara:15.04.6:::::::*
	cpe:2.3:a:mahara:mahara:15.04.7:::::::*
	cpe:2.3:a:mahara:mahara:15.04.8:::::::*
	cpe:2.3:a:mahara:mahara:15.04.9:::::::*
	cpe:2.3:a:mahara:mahara:15.04.10:::::::*
	cpe:2.3:a:mahara:mahara:15.04.11:::::::*
	cpe:2.3:a:mahara:mahara:15.04.12:::::::*
	cpe:2.3:a:mahara:mahara:15.04.13:::::::*
	cpe:2.3:a:mahara:mahara:15.04.14:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:mahara:mahara:16.04:rc1::::::
	cpe:2.3:a:mahara:mahara:16.04:rc2::::::
	cpe:2.3:a:mahara:mahara:16.04.0:::::::*
	cpe:2.3:a:mahara:mahara:16.04.1:::::::*
	cpe:2.3:a:mahara:mahara:16.04.2:::::::*
	cpe:2.3:a:mahara:mahara:16.04.3:::::::*
	cpe:2.3:a:mahara:mahara:16.04.4:::::::*
	cpe:2.3:a:mahara:mahara:16.04.5:::::::*
	cpe:2.3:a:mahara:mahara:16.04.6:::::::*
	cpe:2.3:a:mahara:mahara:16.04.7:::::::*
	cpe:2.3:a:mahara:mahara:16.04.8:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:mahara:mahara:16.10:rc1::::::
	cpe:2.3:a:mahara:mahara:16.10:rc2::::::
	cpe:2.3:a:mahara:mahara:16.10.0:::::::*
	cpe:2.3:a:mahara:mahara:16.10.1:::::::*
	cpe:2.3:a:mahara:mahara:16.10.2:::::::*
	cpe:2.3:a:mahara:mahara:16.10.3:::::::*
	cpe:2.3:a:mahara:mahara:16.10.4:::::::*
	cpe:2.3:a:mahara:mahara:16.10.5:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:mahara:mahara:17.04:rc1::::::
	cpe:2.3:a:mahara:mahara:17.04:rc2::::::
	cpe:2.3:a:mahara:mahara:17.04.0:::::::*
	cpe:2.3:a:mahara:mahara:17.04.1:::::::*
	cpe:2.3:a:mahara:mahara:17.04.2:::::::*
	cpe:2.3:a:mahara:mahara:17.04.3:::::::*

History

No history.

Information

Published : 2017-10-31 18:29

Updated : 2024-02-04 19:29

NVD link : CVE-2017-14752

Mitre link : CVE-2017-14752

CVE.ORG link : CVE-2017-14752

JSON object : View

Products Affected

mahara

mahara

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2017-14752

5.4^/10

3.5^/10

Attach tags to `CVE-2017-14752`