CVE-2009-0660
Description
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0 before 1.0.10 and 1.1 before 1.1.2 allow remote attackers to inject arbitrary web script or HTML via a (1) profile and (2) blog, a different vulnerability than CVE-2009-0487.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerabilities in Mahara profile and blog fields allow remote attackers to inject arbitrary web script or HTML.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in Mahara versions prior to 1.0.10 and 1.1.2. The vulnerabilities are present in user-supplied profile data and blog posts, allowing arbitrary script or HTML injection through these fields [1]. This issue is distinct from CVE-2009-0487 [1].
Exploitation
An attacker can exploit these vulnerabilities by submitting crafted JavaScript/HTML payloads via the profile fields (such as display name, bio, etc.) or blog entry content. No special network position is required beyond normal web access, and the attack does not require authentication, as profiles and blogs can be viewed by any site visitor. The injected content is stored and later executed when other users visit the attacker's profile or blog page.
Impact
Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser when viewing the attacker's profile or blog. This can lead to session hijacking, data theft (including cookies and tokens), or defacement of the Mahara application for targeted users.
Mitigation
The vulnerabilities are fixed in Mahara versions 1.0.10 and 1.1.2, released on 10 March 2009 [1][2]. Users are strongly recommended to upgrade to these versions. No workaround is described in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
22cpe:2.3:a:mahara:mahara:1.0.0:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:mahara:mahara:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.1:*:*:*:*:*:*:*
- (no CPE)range: <1.0.10, <1.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.securityfocus.com/bid/34064nvdExploitPatch
- mahara.org/interaction/forum/topic.phpnvdVendor Advisory
- secunia.com/advisories/34222nvdVendor Advisory
- secunia.com/advisories/34231nvdVendor Advisory
- wiki.mahara.org/Release_Notes/1.1.2nvd
- www.debian.org/security/2009/dsa-1736nvd
- www.vupen.com/english/advisories/2009/0665nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/49168nvd
News mentions
0No linked articles in our index yet.