CVE-2024-39923

An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://mahara.org/interaction/forum/topic.php?id=9546	Vendor Advisory
https://mahara.org/interaction/forum/view.php?id=43	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mahara:mahara::::::::
	cpe:2.3:a:mahara:mahara::::::::

History

No history.

Information

Published : 2025-08-25 14:15

Updated : 2025-09-05 17:04

NVD link : CVE-2024-39923

Mitre link : CVE-2024-39923

CVE.ORG link : CVE-2024-39923

JSON object : View

Products Affected

mahara

mahara

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-39923", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-08-25T14:15:29.937", "references": [{"url": "https://mahara.org/interaction/forum/topic.php?id=9546", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://mahara.org/interaction/forum/view.php?id=43", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Mahara 24.04 (antes de la versi\u00f3n 24.04.2) y 23.04 (antes de la versi\u00f3n 23.04.7). Los enlaces de pie de p\u00e1gina \"About\", \"Contact\" y \"Help\" pueden configurarse para ser vulnerables a ataques de Cross Site Scripting (XSS) debido a la falta de depuraci\u00f3n de los valores. Estos enlaces solo pueden ser configurados por un administrador, pero cualquier persona que haya iniciado sesi\u00f3n puede hacer clic en ellos."}], "lastModified": "2025-09-05T17:04:45.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97ECBE31-D669-4EB6-80D5-42F82E398ACF", "versionEndExcluding": "23.04.7", "versionStartIncluding": "23.04.0"}, {"criteria": "cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F04DD618-F6AF-45DB-8291-6500251D6C96", "versionEndIncluding": "24.04.2", "versionStartIncluding": "24.04.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}