Vulnerabilities > Mahara > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-11-03 | CVE-2017-1000138 | Cross-site Scripting vulnerability in Mahara 1.10/15.04 Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when dragging/dropping files into a collection if the file has Javascript code in its title. | 5.4 |
| 2017-11-03 | CVE-2017-1000137 | Cross-site Scripting vulnerability in Mahara 1.10/15.04 Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to possible cross site scripting when adding a text block to a page via the keyboard (rather than drag and drop). | 5.4 |
| 2017-11-03 | CVE-2017-1000136 | Insufficient Session Expiration vulnerability in Mahara Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 and 15.04 before 15.04.0 are vulnerable to old sessions not being invalidated after a password change. | 6.5 |
| 2017-11-03 | CVE-2017-1000135 | Insufficient Session Expiration vulnerability in Mahara Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable as logged-in users can stay logged in after the institution they belong to is suspended. | 6.5 |
| 2017-11-03 | CVE-2017-1000132 | Cross-site Scripting vulnerability in Mahara Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .swf files that can have its code executed when a user tries to download the file. | 4.8 |
| 2017-11-03 | CVE-2017-1000131 | Insufficient Session Expiration vulnerability in Mahara Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before 16.04.2 are vulnerable to users staying logged in to their Mahara account even when they have been logged out of Moodle (when using MNet) as Mahara did not properly implement one of the MNet SSO API functions. | 6.5 |
| 2017-10-31 | CVE-2017-15273 | Cross-site Scripting vulnerability in Mahara Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as titles in internal artefacts. | 5.4 |
| 2017-10-31 | CVE-2017-14752 | Cross-site Scripting vulnerability in Mahara Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10.6, and 17.04 before 17.04.4 are vulnerable to a user submitting a potential dangerous payload, e.g., XSS code, to be saved as their first name, last name, or display name in the profile fields that can cause issues such as escalation of privileges or unknown execution of malicious code when replying to messages in Mahara. | 5.4 |
| 2017-09-25 | CVE-2017-9551 | Cross-site Scripting vulnerability in Mahara Mahara 15.04 before 15.04.14 and 16.04 before 16.04.8 and 16.10 before 16.10.5 and 17.04 before 17.04.3 are vulnerable to a user submitting potential dangerous payload, e.g. | 6.1 |