CVE-2020-23052
Description
Catalyst IT Ltd Mahara CMS v19.10.2 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component groupfiles.php via the Number (Nombre) and Description (Descripción) parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mahara CMS v19.10.2 is vulnerable to stored XSS via the Number and Description parameters in groupfiles.php, allowing persistent script injection.
Vulnerability
Mahara CMS v19.10.2 contains a stored cross-site scripting (XSS) vulnerability in the groupfiles.php component. The Number (Nombre) and Description (Descripción) parameters fail to properly sanitize user input, allowing the injection of arbitrary HTML and JavaScript code. The vulnerability is authenticated and requires guest-level privileges to access the affected component [1].
Exploitation
An attacker with guest-level authentication can craft a payload containing malicious JavaScript or HTML in the Number or Description fields when creating or editing a group file entry. The payload is stored on the server and executed in the browser of any user who views the affected page. Low user interaction is required as the victim only needs to access the manipulated content [1].
Impact
Successful exploitation leads to persistent cross-site scripting, enabling the attacker to execute arbitrary script code in the context of the victim's session. This can result in session hijacking, defacement, or redirection to malicious sites. The confidentiality, integrity, and availability of the application can be compromised depending on the attacker's objectives [1].
Mitigation
As of the available references, no official patch or fixed version has been confirmed by the vendor. Administrators should apply input validation and output encoding for the Number and Description parameters in groupfiles.php. Users are advised to restrict access to trusted users and monitor for suspicious activity. The vendor may have released a fix in a later version; checking the official Mahara repository is recommended [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Catalyst IT Ltd/Mahara CMSdescription
- Range: =19.10.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in the `nombre` and `descripción` parameters of `groupfiles.php` allows injection of arbitrary script code."
Attack vector
A low-privileged authenticated user sends a POST request to `/artefact/file/groupfiles.php` with malicious JavaScript payloads in the `nombre` (Name) and `descripción` (Description) parameters when creating a folder via the "Crear Carpeta" form [ref_id=1]. The injected payload is stored server-side and executed in the browser of any user (including higher-privileged backend users) who views, edits, lists, or deletes the folder entry [ref_id=1]. The attack requires only guest-level authentication and low user interaction (viewing the affected page) [ref_id=1].
Affected code
The vulnerability resides in the `groupfiles.php` file within the `Ficheros` (Files Manager) module [ref_id=1]. The vulnerable input parameters are `nombre` (Name) and `descripción` (Description) used in the "Crear Carpeta" (Create Folder) form [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory recommends proper input validation and output encoding for the `nombre` and `descripción` parameters in `groupfiles.php` to prevent persistent XSS [ref_id=1]. Without a published fix, administrators should apply general XSS mitigations such as sanitizing user-supplied folder names and descriptions before rendering them in the browser.
Preconditions
- authAttacker must have a low-privileged (guest-level) authenticated account on the Mahara CMS
- configAttacker must have access to the group file management module (Ficheros) and the 'Crear Carpeta' form
- networkThe application must be reachable over the network via HTTP POST requests
- inputMalicious payload is injected via the 'nombre' and 'descripción' POST parameters
Reproduction
1. Log in to Mahara CMS as a regular (low-privileged) user. 2. Navigate to the group management section and open the "Ficheros" tab. 3. Use the "Crear Carpeta" form and inject a payload such as `"><iframe src=evil.source onload=alert(document.cookie)></iframe>` into the Nombre and Descripción input fields. 4. The stored payload executes when any user views, edits, lists, or deletes the folder entry [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.vulnerability-lab.com/get_content.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.