CVE-2017-1000132
Description
Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 and 15.04 before 15.04.0 are vulnerable to a maliciously created .swf files that can have its code executed when a user tries to download the file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Cross-Site Scripting (XSS) vulnerability in Mahara allows attackers to execute arbitrary SWF file code when a user downloads the file, impacting multiple versions before specific patches.
Vulnerability
Mahara versions 1.8 before 1.8.7, 1.9 before 1.9.5, 1.10 before 1.10.3, and 15.04 before 15.04.0 are vulnerable to a Cross-Site Scripting (XSS) flaw via maliciously crafted .swf files [1]. An authenticated user can upload a .swf file containing ActionScript code, and when another user attempts to download the file, the code executes in the context of the victim's browser [1]. This affects the file download functionality and requires the attacker to have an account with file upload privileges.
Exploitation
An attacker logs into Mahara and navigates to a page where they can add a "File(s) to Download" block (e.g., in a profile page) [1]. They upload a .swf file containing malicious ActionScript code [1]. When a victim, such as an admin, accesses the page and clicks to download the .swf file, the browser interprets the file as a Flash object and executes the embedded ActionScript code [1]. No additional user interaction beyond the download action is required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary ActionScript code in the victim's browser [1]. This can lead to theft of session cookies, account compromise, and redirection to malicious websites hosting malware or trojans [1]. The attacker could potentially use a self-propagating XSS worm to affect other users [1]. The privilege level required is a standard user account with file upload capabilities; the impact can escalate to full account takeover for an admin victim.
Mitigation
The vulnerability is fixed in Mahara versions 1.8.7, 1.9.5, 1.10.3, and 15.04.0 [1]. Users should upgrade to these or later versions. As a workaround, administrators can implement input validation to check uploaded files for malicious content, particularly .swf files [1]. This issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
22cpe:2.3:a:mahara:mahara:1.10.0:*:*:*:*:*:*:*+ 21 more
- cpe:2.3:a:mahara:mahara:1.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:15.04:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:15.04:rc2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.8:rc1:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.8:rc2:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:mahara:mahara:1.9:rc1:*:*:*:*:*:*
- (no CPE)range: >=1.8, <1.8.7 || >=1.9, <1.9.5 || >=1.10, <1.10.3 || >=15.04, <15.04.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- bugs.launchpad.net/mahara/+bug/1190788nvdExploitIssue TrackingPatchThird Party Advisory
News mentions
0No linked articles in our index yet.