CVE-2024-35203 in Mahara
Summary
by MITRE • 08/27/2025
Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara filebrowser system.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/27/2025
The vulnerability identified as CVE-2024-35203 affects the Mahara learning management system across multiple versions including 22.10.6, 23.04.6, and 24.04.1. This represents a critical cross-site scripting flaw that emerges through the file upload functionality within Mahara's filebrowser system. The vulnerability specifically manifests when users upload files containing javascript code within their filenames, creating a persistent XSS vector that can compromise user sessions and execute malicious scripts in the context of affected applications. This issue falls under the CWE-79 category of Cross-site Scripting and aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments.
The technical flaw exploits the insufficient input validation and sanitization mechanisms within Mahara's file upload processing pipeline. When users upload files through the filebrowser system, the application fails to properly sanitize or validate file names that contain javascript code, allowing malicious payloads to be stored and subsequently executed when the filenames are rendered in web interfaces. This vulnerability specifically targets the file naming mechanism rather than the file content itself, making it particularly dangerous as it can bypass traditional content-based security measures. The attack vector requires a user to interact with the maliciously named file within the application's interface, typically through file listings or download prompts where the filename is displayed.
The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to hijack user sessions, steal sensitive information, manipulate data, or redirect users to malicious websites. An attacker who successfully exploits this vulnerability could potentially gain access to user accounts, modify course content, or compromise the integrity of the entire learning management system. The persistent nature of stored XSS vulnerabilities means that the malicious code remains active until the affected files are removed or the application is patched, creating long-term exposure risks. Organizations using Mahara for educational purposes face particular risks as student and instructor data could be compromised, potentially affecting academic records and personal information.
Mitigation strategies for CVE-2024-35203 require immediate implementation of version updates to the patched releases mentioned in the advisory. Organizations should also implement additional security measures including strict filename validation that removes or encodes javascript characters, implementing content security policies to prevent script execution, and conducting regular security audits of uploaded files. Network-based solutions such as web application firewalls can provide additional protection layers, while security awareness training for users can help prevent accidental exploitation through malicious file uploads. The vulnerability demonstrates the importance of comprehensive input validation and the need for robust sanitization of all user-provided data, particularly in file handling systems where filenames are rendered in web interfaces. Regular vulnerability assessments and security testing should be conducted to identify similar issues in other components of the Mahara platform and related systems.