mahara-contributors team mailing list archive

Thread
Date

[Bug 1381868] Re: XSS with institution full name on user profile page

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Kristina Hoeppner <1381868@xxxxxxxxxxxxxxxxxx>
Date: Mon, 24 Nov 2014 00:33:56 -0000
Reply-to: Bug 1381868 <1381868@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-8698

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1381868

Title:
  XSS with institution full name on user profile page

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 1.7 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released
Status in Mahara 15.04 series:
  Fix Committed

Bug description:
  Yuliya reported this one to me via IRC. The institution display name
  is not filtered for HTML on the user profile page. Consequently, site
  admins and institutional admins can put Javascript into it.

  This is a medium-level security threat, mainly of concern to multi-
  tenanted Mahara institutions where the security of the "institutional
  admin" users may not be fully vetted by the site administrators.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1381868/+subscriptions