Vulnerabilities > Mahara > Low
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-11-03 | CVE-2017-1000140 | Cross-site Scripting vulnerability in Mahara Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .xml file that can have its code executed when user tries to download the file. | 3.5 |
| 2017-11-03 | CVE-2017-1000144 | Cross-site Scripting vulnerability in Mahara Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04.1 are vulnerable to a site admin or institution admin being able to place HTML and Javascript into an institution display name, which will be displayed to other users unescaped on some Mahara system pages. | 3.5 |
| 2017-11-03 | CVE-2017-1000146 | Cross-site Scripting vulnerability in Mahara Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04.2 are vulnerable to the arbitrary execution of Javascript in the browser of a logged-in user because the title of the portfolio page was not being properly escaped in the AJAX script that updates the Add/remove watchlist link on artefact detail pages. | 3.5 |
| 2017-11-03 | CVE-2017-1000149 | Cross-site Scripting vulnerability in Mahara Mahara 1.10 before 1.10.9 and 15.04 before 15.04.6 and 15.10 before 15.10.2 are vulnerable to XSS due to window.opener (target="_blank" and window.open()) | 3.5 |
| 2017-11-03 | CVE-2017-1000157 | Information Exposure vulnerability in Mahara Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and 16.10 before 16.10.4 and 17.04 before 17.04.2 are vulnerable to recording plain text passwords in the event_log table during the user creation process if full event logging was turned on. | 3.5 |
| 2017-10-31 | CVE-2017-14752 | Cross-site Scripting vulnerability in Mahara Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as their first name, last name, or display name in the profile fields that can cause issues such as escalation of privileges or unknown execution of malicious code when replying to messages in Mahara. | 3.5 |
| 2017-10-31 | CVE-2017-15273 | Cross-site Scripting vulnerability in Mahara Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as titles in internal artefacts. | 3.5 |
| 2011-05-13 | CVE-2011-1405 | Cross-Site Scripting vulnerability in Mahara Cross-site scripting (XSS) vulnerability in Mahara before 1.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors associated with HTML e-mail messages, related to artefact/comment/lib.php and interaction/forum/lib.php. | 3.5 |