CVE-2024-45753
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks in Mahara's external RSS feed block. Attackers can inject malicious scripts via manipulated RSS feed XML link attributes, which execute in users' browsers when viewing the feed. Users of Mahara 23.04.8 and 24.04.4 are affected.
💻 Affected Systems
- Mahara
📦 What is this software?
Mahara by Mahara
Mahara by Mahara
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially compromising user accounts and sensitive data.
Likely Case
Attackers inject malicious JavaScript to steal session cookies or credentials from users viewing compromised RSS feeds.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution.
🎯 Exploit Status
Exploitation requires ability to control or manipulate RSS feed XML content that Mahara processes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 23.04.8 and 24.04.4
Vendor Advisory: https://mahara.org/interaction/forum/topic.php?id=9594
Restart Required: No
Instructions:
1. Upgrade Mahara to latest patched version. 2. Apply vendor security patches if available. 3. Verify the external RSS feed block properly sanitizes link attributes.
🔧 Temporary Workarounds
Disable External RSS Feed Block
allTemporarily disable or remove the vulnerable external RSS feed block from Mahara installations.
Restrict RSS Feed Sources
allOnly allow trusted, verified RSS feed sources that cannot be manipulated by attackers.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads in RSS feed data
- Monitor for suspicious activity related to RSS feed processing and user session anomalies
🔍 How to Verify
Check if Vulnerable:
Check Mahara version in admin interface or via version.php file. If version is exactly 23.04.8 or 24.04.4, system is vulnerable.Check Version:
Check Mahara version in admin panel or examine version.php file in installation directory.Verify Fix Applied:
After patching, test RSS feed functionality with safe test payloads to ensure proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual RSS feed processing errors
- Multiple failed RSS feed fetch attempts
- Suspicious user agent strings in RSS feed requests
Network Indicators:
- Unusual outbound connections from Mahara server to unknown RSS feed sources
- Patterns of RSS feed requests containing script tags or JavaScript
SIEM Query:
Search for web server logs containing 'rss', 'feed', or 'xml' with suspicious characters like <script> or javascript: in query parameters or POST data.