CVE-2024-39923
BaseFortify
Publication date: 2025-08-25
Last updated on: 2025-09-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mahara | mahara | From 23.04.0 (inc) to 23.04.7 (exc) |
| mahara | mahara | From 24.04.0 (inc) to 24.04.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-39923 is a Cross-Site Scripting (XSS) vulnerability in the Mahara ePortfolio System versions before 24.04.2 and 23.04.7. It occurs because the About, Contact, and Help footer links, which can only be set by an administrator, do not properly sanitize input values. This allows a malicious administrator to insert harmful JavaScript code into these footer links. When any logged-in user clicks on these links, the malicious script executes, potentially compromising the user's security. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing malicious scripts to run in the context of your logged-in session when you click on the affected footer links. This can lead to compromise of your user session, theft of sensitive information, or other malicious actions performed on your behalf within the Mahara system. Since the links are clickable by any logged-in user, the risk extends to all users once an administrator has inserted the malicious code. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if the About, Contact, or Help footer links in Mahara are configured with unsanitized or suspicious JavaScript code. Since these links are admin-configurable, review the URLs set in the 'Menus' section for any embedded scripts or unusual input. There are no specific commands provided to detect this vulnerability automatically. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediately update Mahara to version 24.04.2 or later, or 23.04.7 or later, which contain patches fixing this XSS vulnerability. Ensure you select the correct compiled code packages compatible with your PHP version (7.4 or 8.1) and session handler configuration (e.g., Redis). Additionally, review and sanitize any admin-configured footer links to remove potentially malicious scripts. [2]