CVE-2024-35203
📋 TL;DR
This vulnerability allows attackers to execute malicious JavaScript code in victims' browsers by uploading files with specially crafted names containing JavaScript. It affects Mahara e-portfolio systems running vulnerable versions, potentially compromising user sessions and data.
💻 Affected Systems
- Mahara
📦 What is this software?
Mahara by Mahara
Mahara by Mahara
Mahara by Mahara
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface content, or redirect users to malicious sites, leading to full account compromise.
Likely Case
Attackers inject malicious scripts that steal session tokens or user data when victims view file listings containing the malicious filenames.
If Mitigated
With proper input validation and output encoding, the XSS payload would be neutralized, preventing script execution while maintaining file functionality.
🎯 Exploit Status
Requires attacker to upload a file with malicious JavaScript in the filename and have a victim view the file listing. Some level of user interaction or social engineering may be needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.10.6, 23.04.6, or 24.04.1
Vendor Advisory: https://mahara.org/interaction/forum/topic.php?id=9519
Restart Required: No
Instructions:
1. Backup your Mahara installation and database. 2. Download the patched version from mahara.org. 3. Replace vulnerable files with patched versions. 4. Clear caches if applicable. 5. Verify the fix by testing file uploads with suspicious names.
🔧 Temporary Workarounds
File Upload Restriction
allTemporarily restrict file uploads or implement filename sanitization at the web server level.
🧯 If You Can't Patch
- Implement WAF rules to block file uploads containing JavaScript patterns in filenames
- Disable file upload functionality for non-essential users
🔍 How to Verify
Check if Vulnerable:
Check your Mahara version via admin panel or by examining version files. If running versions before 22.10.6, 23.04.6, or 24.04.1, you are vulnerable.Check Version:
Check the version.php file or admin dashboard for version informationVerify Fix Applied:
After patching, attempt to upload a file with a name containing basic JavaScript (e.g., 'test<script>alert(1)</script>.txt') and verify it's properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- File uploads with suspicious filenames containing script tags or JavaScript patterns
- Multiple failed upload attempts with unusual filenames
Network Indicators:
- HTTP POST requests to file upload endpoints with JavaScript in filename parameters
SIEM Query:
source="mahara_logs" AND (filename="*<script>*" OR filename="*javascript:*")