CVE-2009-3299
Description
Cross-site scripting (XSS) vulnerability in the resume blocktype in Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Mahara resume blocktype allows remote attackers to inject arbitrary web script or HTML.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the resume blocktype of Mahara, an open-source ePortfolio system. The flaw allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Affected versions are Mahara before 1.0.13 and 1.1.x before 1.1.7 [1][2][3].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious input that, when processed by the resume blocktype, executes arbitrary script in the context of a victim's browser. No authentication is required; the attacker only needs to deliver the payload to a user viewing the affected resume content.
Impact
Successful exploitation leads to arbitrary script execution in the victim's browser, potentially resulting in session hijacking, data theft, or defacement. The attacker gains the ability to perform actions on behalf of the victim within the Mahara application.
Mitigation
The vulnerability is fixed in Mahara versions 1.0.13 and 1.1.7, released on 2009-11-03 [1][2][3]. Users should upgrade immediately. No workarounds are documented; upgrading is the recommended mitigation.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
22cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*range: <=1.0.12
- cpe:2.3:a:mahara:mahara:1.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.1.6:*:*:*:*:*:*:*
- (no CPE)range: <1.0.13, >=1.1.0 <1.1.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- eduforge.org/frs/shownotes.phpnvdPatch
- www.securityfocus.com/bid/36892nvdPatch
- www.vupen.com/english/advisories/2009/3101nvdPatchVendor Advisory
- secunia.com/advisories/37217nvdVendor Advisory
- secunia.com/advisories/37218nvdVendor Advisory
- eduforge.org/frs/shownotes.phpnvd
- mahara.org/interaction/forum/topic.phpnvd
- www.debian.org/security/2009/dsa-1924nvd
- www.osvdb.org/59583nvd
News mentions
0No linked articles in our index yet.