CVE-2009-2170
Description
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0 before 1.0.12 and 1.1 before 1.1.5 allow remote attackers to inject arbitrary web script or HTML via unknown vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple cross-site scripting vulnerabilities in Mahara versions prior to 1.0.12 and 1.1.5 allow remote attackers to inject arbitrary web script or HTML.
Vulnerability
Mahara versions 1.0 before 1.0.12 and 1.1 before 1.1.5 contain multiple cross-site scripting (XSS) vulnerabilities [1]. The specific vectors are not disclosed in the available references, but the flaws allow injection of arbitrary web script or HTML. The affected versions are 1.0.0 through 1.0.11 and 1.1.0 through 1.1.4.
Exploitation
Remote attackers can exploit these vulnerabilities by crafting malicious input that, when processed by Mahara, results in the execution of arbitrary script in the context of a user's browser. The exact attack vectors are unknown, but typical XSS exploitation requires the attacker to trick a user into interacting with crafted content (e.g., a link or a page containing the injected script). No authentication is explicitly required for the attack to succeed.
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML, leading to potential data theft, session hijacking, or defacement within the affected Mahara instance. The impact is limited to the browser context of the victim user, but could be used to perform actions on behalf of that user if combined with other techniques.
Mitigation
The Mahara project has released fixed versions 1.0.12 and 1.1.5 to address these vulnerabilities [1]. Users are strongly advised to upgrade to the latest patched version. No workarounds are documented in the available references. If upgrading is not immediately possible, consider restricting access to Mahara or applying input validation measures, though these are not officially recommended.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28cpe:2.3:a:mahara:mahara:1.0.0:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:a:mahara:mahara:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.4:*:*:*:*:*:*:*
- (no CPE)range: 1.0 < 1.0.12 and 1.1 < 1.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- mahara.org/interaction/forum/topic.phpnvdVendor Advisory
News mentions
0No linked articles in our index yet.