CVE-2017-17454
Last modified
CVE-2017-17454 is a vulnerability of currently unknown severity. Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. EPSS estimates a 0.72% chance of exploitation in the next 30 days.
Description
Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mahara | Mahara | >= 16.10.0, < 16.10.7 |
| Mahara | Mahara | >= 17.04.0, < 17.04.5 |
| Mahara | Mahara | >= 17.10.0, < 17.10.2 |
References
- https://bugs.launchpad.net/mahara/+bug/1732987Third Party Advisory
- https://mahara.org/interaction/forum/topic.php?id=8149Vendor Advisory
- https://reviews.mahara.org/#/c/8191/Vendor Advisory
- https://bugs.launchpad.net/mahara/+bug/1732987Third Party Advisory
- https://mahara.org/interaction/forum/topic.php?id=8149Vendor Advisory
- https://reviews.mahara.org/#/c/8191/Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-17454?
How severe is CVE-2017-17454?
How do I fix CVE-2017-17454?
Are you affected by CVE-2017-17454?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST