EUVD-2025-209573
GHSA-f5fr-j7r9-mmgp
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionNVD
Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7 search plugin. The Elasticsearch function does not properly sanitize input in the query parameter.
AnalysisAI
Stored cross-site scripting (XSS) in Mahara before 25.04.2 and 24.04.11 allows unauthenticated remote attackers to inject malicious JavaScript via unsanitized search query parameters in the 'search site' feature when the Elasticsearch7 search plugin is enabled. The vulnerability has a CVSS score of 6.1 (moderate) with network attack vector and user interaction required (clicking a crafted search link), resulting in partial confidentiality and integrity impact. No active exploitation has been confirmed by CISA KEV, and no public exploit code is documented at the time of analysis.
Technical ContextAI
Mahara's search functionality integrates with the Elasticsearch7 search plugin to process user-supplied search queries. The vulnerability exists in the query parameter handling within the Elasticsearch search backend, which fails to properly encode or sanitize user input before rendering search results in the HTML response. This is a classic reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) where attacker-controlled search strings are echoed back to the user's browser without HTML entity encoding or Content Security Policy enforcement. The Elasticsearch7 plugin's query processing layer does not validate or escape special characters that have meaning in HTML context, allowing attackers to break out of the intended data context and inject arbitrary script tags or event handlers.
RemediationAI
Upgrade Mahara to version 25.04.2 or later for the current 25.x branch, or to version 24.04.11 or later for the 24.04.x branch. Both patches remediate the input sanitization flaw in the Elasticsearch7 search plugin. If immediate patching is not feasible, disable the Elasticsearch7 search plugin and revert to Mahara's default search backend (typically database-driven search) to eliminate the attack surface; note that this may impact search performance on large instances. Additionally, implement a Content Security Policy (CSP) header with script-src restrictions to mitigate the impact of any unpatched XSS, though CSP alone does not prevent the vulnerability. Apply vendor patches as soon as available via https://mahara.org and verify the patched version is deployed across all instances. For users on unsupported versions, upgrading to a maintained release branch is mandatory.
More from same product – last 7 days
Server-side request forgery in Elastic Kibana allows authenticated users holding connector management privileges to bypa
Denial of service in Kibana allows any authenticated low-privileged user to render the Kibana service unresponsive for a
Denial of service in Elastic Kibana allows an authenticated low-privileged user to crash the Kibana service and deny acc
Denial of service in Kibana allows any authenticated user to crash or render unresponsive a Kibana instance by sending a
Denial of service in Kibana's analytics collections management endpoint allows any authenticated user with viewer-level
Share
External POC / Exploit Code
Leaving vuln.today