VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 28, 2011· Updated Apr 29, 2026

CVE-2011-0439

CVE-2011-0439

Description

Cross-site scripting (XSS) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to inject arbitrary web script or HTML via the Pieforms select box.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 via the Pieforms select box allows remote attackers to inject arbitrary web script or HTML.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Pieforms select box component of Mahara versions 1.2.x prior to 1.2.7 and 1.3.x prior to 1.3.4 [1][2]. The select box does not properly sanitize user-supplied input, allowing injection of arbitrary web script or HTML.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious input or URL that, when processed by the Pieforms select box, executes injected script in the victim's browser. No authentication is required; the victim only needs to view the crafted content (e.g., click a link). The script runs in the context of the victim's session on the Mahara site.

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. The attacker gains the same privileges as the victim within the Mahara application.

Mitigation

The vulnerability is fixed in Mahara versions 1.2.7 and 1.3.4, released on 24 March 2011 [1]. Users are strongly advised to upgrade to these versions or later. No workarounds are documented. The CVE is not listed on the CISA Known Exploited Vulnerabilities catalog.

References
  1. News - Mahara 1.2.7 and 1.3.4 released - Mahara ePortfolio System
  2. Security announcements - XSS in Mahara 1.2.6 and 1.3.3 - Mahara ePortfolio System

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

25
  • Mahara (software)/Mahara25 versions
    cpe:2.3:a:mahara:mahara:1.2.0:*:*:*:*:*:*:*+ 24 more
    • cpe:2.3:a:mahara:mahara:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.0:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.0:alpha3:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.3.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.3.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.3.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.3.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.3.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.3.3:*:*:*:*:*:*:*
    • (no CPE)range: <1.2.7, <1.3.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.