Skip to main content

Mahara CVE-2025-61872

| EUVDEUVD-2025-209573 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-24 mitre GHSA-f5fr-j7r9-mmgp
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 24, 2026 - 17:31 vuln.today
CVSS changed
Apr 24, 2026 - 16:22 NVD
6.1 (None) 6.1 (MEDIUM)
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2025-209573
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 00:00 nvd
MEDIUM 6.1

DescriptionCVE.org

Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7 search plugin. The Elasticsearch function does not properly sanitize input in the query parameter.

AnalysisAI

Stored cross-site scripting (XSS) in Mahara before 25.04.2 and 24.04.11 allows unauthenticated remote attackers to inject malicious JavaScript via unsanitized search query parameters in the 'search site' feature when the Elasticsearch7 search plugin is enabled. The vulnerability has a CVSS score of 6.1 (moderate) with network attack vector and user interaction required (clicking a crafted search link), resulting in partial confidentiality and integrity impact. No active exploitation has been confirmed by CISA KEV, and no public exploit code is documented at the time of analysis.

Technical ContextAI

Mahara's search functionality integrates with the Elasticsearch7 search plugin to process user-supplied search queries. The vulnerability exists in the query parameter handling within the Elasticsearch search backend, which fails to properly encode or sanitize user input before rendering search results in the HTML response. This is a classic reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where attacker-controlled search strings are echoed back to the user's browser without HTML entity encoding or Content Security Policy enforcement. The Elasticsearch7 plugin's query processing layer does not validate or escape special characters that have meaning in HTML context, allowing attackers to break out of the intended data context and inject arbitrary script tags or event handlers.

RemediationAI

Upgrade Mahara to version 25.04.2 or later for the current 25.x branch, or to version 24.04.11 or later for the 24.04.x branch. Both patches remediate the input sanitization flaw in the Elasticsearch7 search plugin. If immediate patching is not feasible, disable the Elasticsearch7 search plugin and revert to Mahara's default search backend (typically database-driven search) to eliminate the attack surface; note that this may impact search performance on large instances. Additionally, implement a Content Security Policy (CSP) header with script-src restrictions to mitigate the impact of any unpatched XSS, though CSP alone does not prevent the vulnerability. Apply vendor patches as soon as available via https://mahara.org and verify the patched version is deployed across all instances. For users on unsupported versions, upgrading to a maintained release branch is mandatory.

CVE-2015-1427 CRITICAL POC
9.8 Feb 17

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the s

CVE-2014-3120 HIGH POC
8.1 Jul 28

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execut

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2015-5531 MEDIUM POC
5.0 Aug 17

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unsp

CVE-2015-3337 MEDIUM POC
4.3 May 01

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, a

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2020-7012 HIGH POC
8.8 Jun 03

Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. Rated hig

CVE-2018-17246 CRITICAL POC
9.8 Dec 20

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical s

CVE-2022-31115 HIGH POC
8.8 Jun 30

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vuln

CVE-2021-32743 HIGH POC
8.8 Jul 15

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generat

CVE-2023-43116 HIGH POC
7.8 Dec 22

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the bu

CVE-2021-22146 HIGH POC
7.5 Jul 21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters.

Share

CVE-2025-61872 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy