XSS in collection title when viewwing on matrix page

Bug #1819547 reported by Robert Lyon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Robert Lyon
17.10
Fix Released
High
Unassigned
18.04
Fix Released
High
Unassigned
18.10
Fix Released
High
Unassigned
19.04
Fix Released
High
Robert Lyon

Bug Description

This is an oversight in the collection nav system when we added smart evidence and have collection nav display on the matrix page. The collection name is not being escaped.

To test:
1) Have smart evidence turned on for an institution
2) Create a collection and give it a title/name like: <script>alert(document.cookie);</script>
3) Add pages to the collection
4) Make sure to assign a SmartEvidence option to the collection
5) Visit the collection matrix page - you should get an alert pop-up displaying

We just need to escape the collection title before passing it to the collectionnav.tpl

Thanks to Kirtikumar Anandrao Ramchandani for reporting it.

CVE References

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

CVE number has been requested and will be posted once available.

description: updated
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Message for the forum announcement:

Cross site scription of collection title on SmartEvidence overview page

Severity: High
Vulnerability type: XSS

An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 before 18.04.4, and 18.10 before 18.10.1. The collection title is vulnerable to Cross Site Scripting (XSS) due to not escaping it when viewing the collection's SmartEvidence overview page (if that feature is turned on). This can be exploited by any logged-in user.

Reported by: Kirtikumar Anandrao Ramchandani
Bug report: https://bugs.launchpad.net/mahara/+bug/1819547
CVE reference: CVE-2019-9709

Link CVE number to https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-9709

Revision history for this message
Robert Lyon (robertl-9) wrote :
Robert Lyon (robertl-9)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.