Vulnerability Description
Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mahara | Mahara | >= 16.10.0, < 16.10.7 |
Related Weaknesses (CWE)
References
- https://bugs.launchpad.net/mahara/+bug/1732987Third Party Advisory
- https://mahara.org/interaction/forum/topic.php?id=8149Vendor Advisory
- https://reviews.mahara.org/#/c/8191/Vendor Advisory
- https://bugs.launchpad.net/mahara/+bug/1732987Third Party Advisory
- https://mahara.org/interaction/forum/topic.php?id=8149Vendor Advisory
- https://reviews.mahara.org/#/c/8191/Vendor Advisory
FAQ
What is CVE-2017-17454?
CVE-2017-17454 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be dis...
How severe is CVE-2017-17454?
CVE-2017-17454 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17454?
Check the references section above for vendor advisories and patch information. Affected products include: Mahara Mahara.