CVE-2024-39923 in Maharainfo

Summary

by MITRE • 08/25/2025

An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/05/2025

This vulnerability exists in the Mahara learning management system where certain footer links can be configured to contain cross site scripting flaws. The issue affects versions 24.04 before 24.04.2 and 23.04 before 23.04.7, representing a significant security gap in the application's input validation mechanisms. The vulnerability specifically impacts the About, Contact, and Help footer links which can be manipulated by administrators to include malicious script content. This represents a classic cross site scripting vulnerability that falls under CWE-79 which defines improper neutralization of input during web page generation. The flaw occurs because the application fails to sanitize user-provided values when these footer links are configured, allowing potentially harmful scripts to be executed within the context of other users' browsers.

The operational impact of this vulnerability is substantial despite its limited attack surface. While only administrators can configure these links, any logged-in user can click them, creating a vector for privilege escalation and data theft. An attacker who gains administrative access could inject malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of other users. The vulnerability demonstrates a failure in the principle of least privilege and proper input sanitization, as the application should sanitize all user inputs regardless of the user's permissions level. This type of vulnerability can be categorized under ATT&CK technique T1059.005 which covers command and scripting interpreter for execution of malicious scripts in web applications.

The security implications extend beyond simple script execution as this vulnerability can be leveraged for more sophisticated attacks including session hijacking, credential theft, and data exfiltration. When users click on the maliciously configured footer links, their browsers execute the injected scripts in the context of the Mahara application, potentially allowing attackers to access sensitive information or perform unauthorized actions. The vulnerability highlights the importance of comprehensive input validation and output encoding practices that should be applied to all user-controllable content within web applications. Organizations using affected versions of Mahara should immediately apply the available patches to address this vulnerability and ensure that all user inputs are properly sanitized before being rendered in web pages. The fix should implement proper HTML encoding and content security policy mechanisms to prevent script execution in footer link contexts. This vulnerability serves as a reminder of the critical importance of input validation and output encoding in preventing cross site scripting attacks, particularly in applications where administrators can configure user-facing elements that may be clicked by any authenticated user.

Responsible

MITRE

Reservation

07/03/2024

Disclosure

08/25/2025

Moderation

accepted

CPE

ready

EPSS

0.00229

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!