CVE-2024-39923
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-25

Last updated on: 2025-09-05

Assigner: MITRE

Description
An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-25
Last Modified
2025-09-05
Generated
2026-06-16
AI Q&A
2025-08-25
EPSS Evaluated
2026-06-15
NVD
CVE-2024-39923
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mahara mahara From 23.04.0 (inc) to 23.04.7 (exc)
mahara mahara From 24.04.0 (inc) to 24.04.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2024-39923 is a Cross-Site Scripting (XSS) vulnerability in the Mahara ePortfolio System versions before 24.04.2 and 23.04.7. It occurs because the About, Contact, and Help footer links, which can only be set by an administrator, do not properly sanitize input values. This allows a malicious administrator to insert harmful JavaScript code into these footer links. When any logged-in user clicks on these links, the malicious script executes, potentially compromising the user's security. [2]

Impact Analysis

This vulnerability can impact you by allowing malicious scripts to run in the context of your logged-in session when you click on the affected footer links. This can lead to compromise of your user session, theft of sensitive information, or other malicious actions performed on your behalf within the Mahara system. Since the links are clickable by any logged-in user, the risk extends to all users once an administrator has inserted the malicious code. [2]

Detection Guidance

Detection involves checking if the About, Contact, or Help footer links in Mahara are configured with unsanitized or suspicious JavaScript code. Since these links are admin-configurable, review the URLs set in the 'Menus' section for any embedded scripts or unusual input. There are no specific commands provided to detect this vulnerability automatically. [2]

Mitigation Strategies

Immediately update Mahara to version 24.04.2 or later, or 23.04.7 or later, which contain patches fixing this XSS vulnerability. Ensure you select the correct compiled code packages compatible with your PHP version (7.4 or 8.1) and session handler configuration (e.g., Redis). Additionally, review and sanitize any admin-configured footer links to remove potentially malicious scripts. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-39923. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart