CVE-2009-0664 - Vulnerability Details - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0.x before 1.0.11 and 1.1.x before 1.1.3 allow remote attackers to inject arbitrary web script or HTML via (1) the introduction field in a user profile or (2) an arbitrary text block in a user view.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mahara	Mahara

Configuration 1 [-]

OR	cpe:2.3:a:mahara:mahara:1.0.0:::::::*
	cpe:2.3:a:mahara:mahara:1.0.1:::::::*
	cpe:2.3:a:mahara:mahara:1.0.2:::::::*
	cpe:2.3:a:mahara:mahara:1.0.3:::::::*
	cpe:2.3:a:mahara:mahara:1.0.4:::::::*
	cpe:2.3:a:mahara:mahara:1.0.5:::::::*
	cpe:2.3:a:mahara:mahara:1.0.6:::::::*
	cpe:2.3:a:mahara:mahara:1.0.7:::::::*
	cpe:2.3:a:mahara:mahara:1.0.8:::::::*
	cpe:2.3:a:mahara:mahara:1.0.9:::::::*
	cpe:2.3:a:mahara:mahara:1.0.10:::::::*
	cpe:2.3:a:mahara:mahara:1.1.0:alpha1::::::
	cpe:2.3:a:mahara:mahara:1.1.0:alpha2::::::
	cpe:2.3:a:mahara:mahara:1.1.0:alpha3::::::
	cpe:2.3:a:mahara:mahara:1.1.0:beta1::::::
	cpe:2.3:a:mahara:mahara:1.1.0:beta2::::::
	cpe:2.3:a:mahara:mahara:1.1.0:beta3::::::
	cpe:2.3:a:mahara:mahara:1.1.0:beta4::::::
	cpe:2.3:a:mahara:mahara:1.1.0:rc1::::::
	cpe:2.3:a:mahara:mahara:1.1.0:rc2::::::
	cpe:2.3:a:mahara:mahara:1.1.1:::::::*
	cpe:2.3:a:mahara:mahara:1.1.2:::::::*

No data.

References

Link	Providers
http://mahara.org/interaction/forum/topic.php?id=532
http://osvdb.org/53891
http://osvdb.org/53892
http://secunia.com/advisories/34789
http://secunia.com/advisories/34871
http://www.debian.org/security/2009/dsa-1778
http://www.securityfocus.com/bid/34677

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-04-23T17:00:00

Updated: 2024-08-07T04:40:05.242Z

Reserved: 2009-02-22T00:00:00

Link: CVE-2009-0664

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2009-04-23T17:30:01.670

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-0664

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-04-22T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0.x before 1.0.11 and 1.1.x before 1.1.3 allow remote attackers to inject arbitrary web script or HTML via (1) the introduction field in a user profile or (2) an arbitrary text block in a user view."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-04-28T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://mahara.org/interaction/forum/topic.php?id=532"}, {"name": "DSA-1778", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2009/dsa-1778"}, {"name": "53891", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/53891"}, {"name": "34789", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34789"}, {"name": "34677", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/34677"}, {"name": "53892", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/53892"}, {"name": "34871", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34871"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-0664", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0.x before 1.0.11 and 1.1.x before 1.1.3 allow remote attackers to inject arbitrary web script or HTML via (1) the introduction field in a user profile or (2) an arbitrary text block in a user view."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://mahara.org/interaction/forum/topic.php?id=532", "refsource": "CONFIRM", "url": "http://mahara.org/interaction/forum/topic.php?id=532"}, {"name": "DSA-1778", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2009/dsa-1778"}, {"name": "53891", "refsource": "OSVDB", "url": "http://osvdb.org/53891"}, {"name": "34789", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34789"}, {"name": "34677", "refsource": "BID", "url": "http://www.securityfocus.com/bid/34677"}, {"name": "53892", "refsource": "OSVDB", "url": "http://osvdb.org/53892"}, {"name": "34871", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34871"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T04:40:05.242Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://mahara.org/interaction/forum/topic.php?id=532"}, {"name": "DSA-1778", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2009/dsa-1778"}, {"name": "53891", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/53891"}, {"name": "34789", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34789"}, {"name": "34677", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/34677"}, {"name": "53892", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/53892"}, {"name": "34871", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34871"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-0664", "datePublished": "2009-04-23T17:00:00", "dateReserved": "2009-02-22T00:00:00", "dateUpdated": "2024-08-07T04:40:05.242Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mahara:mahara:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "8B49D797-AF1B-4F7E-A71D-AABD0F802912", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "18048333-3E64-4AB4-9F20-2B1B8E7AB9FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "68167317-977B-48EE-9320-2A4539A93B29", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "CB25DF09-D88F-4633-9956-D64E3497153F", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "E32430EE-5F2B-4936-A297-2DF55CC22937", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "1CC0259C-E628-4BBA-9D97-41A130B1E741", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "974F2D63-488C-41D7-A627-BF9B085A8D10", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "E26420D4-20D8-4D6D-88B5-C74F39B88720", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "321475F4-1548-4FD1-BED9-12D944388FD8", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "F37005DE-BB31-4738-AC49-C3C2022AE8F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "8FA6F03B-F449-424E-A856-5BE5FB98814F", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "84652E40-1C88-438D-BCA1-4FF4C069F9AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "08F53776-5F58-4C20-8FE7-9DF06F1704A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "D5D55D2C-E6E5-44A4-831A-3EAE5C1568CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "79228F92-00A8-4B74-A914-11BDF9641F6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "9EEB3BF7-C4D3-4BB8-893F-B0FE252F0405", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "3BE91ED4-EA2A-4402-813C-1A2E5B10EA40", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "F7FB1F02-A03F-45E5-8D26-C007C10EE97D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "A09C63AC-15A8-4722-B18E-98A86EC8A856", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "62452677-EE4C-4E5E-9DD2-D11C4211DA54", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "2FDC6F32-24C0-4B5E-8338-FF85B0BBF801", "vulnerable": true}, {"criteria": "cpe:2.3:a:mahara:mahara:1.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "92848F08-EBFC-4579-A088-EC15D0B3EE48", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.0.x before 1.0.11 and 1.1.x before 1.1.3 allow remote attackers to inject arbitrary web script or HTML via (1) the introduction field in a user profile or (2) an arbitrary text block in a user view."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Mahara la v1.0.x anteriores a v1.0.11 y la v1.1.x anteriores a v1.1.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a trav\u00e9s (1) el campo \"introduction\" en el perfil de usuario o (2) un bloque de texto arbitrario en la vista de usuario."}], "id": "CVE-2009-0664", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-04-23T17:30:01.670", "references": [{"source": "cve@mitre.org", "url": "http://mahara.org/interaction/forum/topic.php?id=532"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/53891"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/53892"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/34789"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/34871"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.debian.org/security/2009/dsa-1778"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/34677"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://mahara.org/interaction/forum/topic.php?id=532"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/53891"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/53892"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/34789"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/34871"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.debian.org/security/2009/dsa-1778"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/34677"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}