** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-8698
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1381868 Title: XSS with institution full name on user profile page Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Released Status in Mahara 1.7 series: Fix Released Status in Mahara 1.8 series: Fix Released Status in Mahara 1.9 series: Fix Released Status in Mahara 15.04 series: Fix Committed Bug description: Yuliya reported this one to me via IRC. The institution display name is not filtered for HTML on the user profile page. Consequently, site admins and institutional admins can put Javascript into it. This is a medium-level security threat, mainly of concern to multi- tenanted Mahara institutions where the security of the "institutional admin" users may not be fully vetted by the site administrators. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1381868/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
