VYPR
← All advisories
Medium severity4.8NVD Advisory· Published Nov 3, 2017· Updated May 13, 2026

CVE-2017-1000144

CVE-2017-1000144

Description

Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04.1 are vulnerable to a site admin or institution admin being able to place HTML and Javascript into an institution display name, which will be displayed to other users unescaped on some Mahara system pages.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mahara stored XSS via institution display name allows institution admins to inject JavaScript, potentially leading to admin privilege escalation.

Vulnerability

Mahara versions 1.9 before 1.9.6, 1.10 before 1.10.4, and 15.04 before 15.04.1 are vulnerable to a stored cross-site scripting (XSS) vulnerability. An institution admin can set the institution display name to include arbitrary HTML and JavaScript, which is later rendered unescaped on certain system pages [1].

Exploitation

An attacker must have institution admin privileges. Steps include: creating a new institution, setting its name to a malicious script (e.g., ``), adding users, and then having a full admin view user reports or shared pages that display the institution name [1].

Impact

When a full admin views the access list of a user belonging to the malicious institution, the injected script executes in the admin's browser. This can lead to privilege escalation, allowing the institution admin to perform actions as the full admin [1].

Mitigation

Upgrade to Mahara 1.9.6, 1.10.4, or 15.04.1 as these versions contain the fix. No workaround is documented; the vulnerability requires institution admin access [1].

References
  1. Bug #1447377 “Stored XSS in user reports access lists, and share...” : Bugs : Mahara

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

16
  • Mahara (software)/Mahara16 versions
    cpe:2.3:a:mahara:mahara:1.10.0:*:*:*:*:*:*:*+ 15 more
    • cpe:2.3:a:mahara:mahara:1.10.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.10.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.10.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.10:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:15.04.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:15.04:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:15.04:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mahara:mahara:1.9:rc1:*:*:*:*:*:*
    • (no CPE)range: >=1.9, <1.9.6; >=1.10, <1.10.4; >=15.04, <15.04.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper neutralization of user-controllable input in the institution display name field allows stored cross-site scripting."

Attack vector

An attacker who is an institution admin sets the institution display name to a malicious string such as `&lt;script&gt;alert(1);&lt;/script&gt;` [ref_id=1]. When a full site admin later views a user report or access list for a user belonging to that institution, the stored script executes in the full admin's browser [ref_id=1]. The attack can also trigger when any user shares a page with the malicious institution and then views "Shared by me" [ref_id=1]. This is a stored cross-site scripting (XSS) attack [CWE-79] that requires authenticated access as an institution admin but can lead to privilege escalation against a full admin [ref_id=1].

Affected code

The vulnerability lies in the institution display name field. When an institution admin changes the institution name to include HTML or JavaScript, that unsanitized input is stored and later rendered unescaped on several Mahara system pages, including user report access lists, "Shared by me" views, and group/institution sharing pages [ref_id=1].

What the fix does

The advisory states "Patch to come" but does not include a published patch or specific fix details [ref_id=1]. The remediation would require properly escaping or sanitizing the institution display name before rendering it on any page where it is displayed to other users, ensuring that HTML and JavaScript content is neutralized rather than output unescaped [CWE-79].

Preconditions

  • authAttacker must have institution admin privileges to modify the institution display name
  • inputA full site admin (or another user) must view a page that renders the malicious institution name unescaped
  • configThe application must be Mahara 1.9 before 1.9.6, 1.10 before 1.10.4, or 15.04 before 15.04.1

Reproduction

1. As a full admin, create a new institution and a new user with admin rights in that institution. 2. Log in as the new institution admin and change the institution name to `&lt;script&gt;alert(1);&lt;/script&gt;`. 3. Add some new users to the institution (their profile pages will automatically be shared with the institution). 4. As the full admin, run a user report on that new user and view the access list — the XSS triggers [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.