Launchpad.net

CVE 2012-2243

Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML by uploading an XML file with the xhtml extension, which is rendered inline as script. NOTE: this can be leveraged with CVE-2012-2244 to execute arbitrary code without authentication, as demonstrated by modifying the clamav path.

Related bugs and status

CVE-2012-2243 (Candidate) is related to these bugs:

Bug #1055232: XSS using user uploaded XHTML files

		In	Importance	Status
1055232	XSS using user uploaded XHTML files	Mahara	Critical	Fix Released
1055232	XSS using user uploaded XHTML files	Mahara 1.5	Critical	Fix Released
1055232	XSS using user uploaded XHTML files	Mahara 1.4	Critical	Fix Released

Bug #1063480: Reflected XSS in user/group bulk CSV upload

		In	Importance	Status
1063480	Reflected XSS in user/group bulk CSV upload	Mahara	High	Fix Released
1063480	Reflected XSS in user/group bulk CSV upload	Mahara 1.4	High	Fix Released
1063480	Reflected XSS in user/group bulk CSV upload	Mahara 1.5	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2012-2243

Related bugs and status

Related bugs

References