Vulnerability CVE-2012-2243

Vulnerability Name:

CVE-2012-2243 (CCN-79269)

Assigned:

2012-10-10

Published:

2012-10-10

Updated:

2013-02-08

Summary:

Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML by uploading an XML file with the xhtml extension, which is rendered inline as script.
Note: this can be leveraged with CVE-2012-2244 to execute arbitrary code without authentication, as demonstrated by modifying the clamav path.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2012-2243

Source: CCN
Type: SA50943
Mahara Multiple Vulnerabilities

Source: DEBIAN
Type: UNKNOWN
DSA-2591

Source: DEBIAN
Type: DSA-2591
mahara -- several vulnerabilities

Source: CCN
Type: BID-55916
Mahara Multiple Cross Site Scripting Vulnerabilities

Source: CCN
Type: Mahara Bug #1055232
XSS using user uploaded XHTML files

Source: CONFIRM
Type: UNKNOWN
https://bugs.launchpad.net/mahara/+bug/1055232

Source: XF
Type: UNKNOWN
mahara-cve20122243-xss(79269)

Source: CCN
Type: Mahara Web Site
Mahara

Source: CCN
Type: Mahara ePortfolio
Mahara 1.4.5

Source: CONFIRM
Type: Patch, Vendor Advisory
https://mahara.org/interaction/forum/topic.php?id=4937

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2012-2243

Vulnerable Configuration:

Configuration 1:

cpe:/a:mahara:mahara:1.4:rc1:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.4:rc2:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.4:rc3:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.4:rc4:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.4.0:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.4.2:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.4.3:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.4.4:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:mahara:mahara:1.5:rc1:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5:rc2:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.0:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.1:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.2:*:*:*:*:*:*:*

OR cpe:/a:mahara:mahara:1.5.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mahara:mahara:1.4:*:*:*:*:*:*:*