Mahara Resume Blocktype Cross Site Scripting Vulnerability

Mahara is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects versions prior to Mahara 1.0.13 and 1.1.7.

Information

Bugtraq ID: 36892
Class: Input Validation Error
CVE: CVE-2009-3299

Remote: Yes
Local: No
Published: Oct 29 2009 12:00AM
Updated: Sep 07 2017 02:13PM
Credit: Sven Vetsch
Vulnerable: Mahara Mahara 1.1.6
Mahara Mahara 1.1.5
Mahara Mahara 1.1.4
Mahara Mahara 1.1.3
Mahara Mahara 1.1.2
Mahara Mahara 1.1.1
Mahara Mahara 1.0.12
Mahara Mahara 1.0.11
Mahara Mahara 1.0.10
Mahara Mahara 1.0.9
Mahara Mahara 1.0.8
Mahara Mahara 1.0.6
Mahara Mahara 1.0.5
Mahara Mahara 1.0.4
Mahara Mahara 1.0.3
Mahara Mahara 1.0.2
Mahara Mahara 1.0.1

Not Vulnerable: Mahara Mahara 1.1.7
Mahara Mahara 1.0.13

Exploit

Attackers can exploit this issue by enticing an unsuspecting victim into following a malicious URI.

References:

• Mahara 1.1.7 Release Notes (Mahara)
  
• Security Announcements - XSS in Mahara 1.1.6 and 1.0.12 (Mahara)
  

Source: www.securityfocus.com