{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "16.10.0" }, { "fixed": "16.10.7" }, { "introduced": "17.04.0" }, { "fixed": "17.04.5" }, { "introduced": "17.10.0" }, { "fixed": "17.10.2" } ] }, "events": [ { "introduced": "2d4a3b547ca5aa058a975f870f21ddf64fc840db" }, { "fixed": "07d65ee9e2aec6a198371467ac7919e710ab0448" }, { "introduced": "c1b8e4e448228b12a674c205a7288389613271e7" }, { "fixed": "8d0b45c841df6d94d1c401e8efd3b6665a6fea59" }, { "introduced": "7e3e132425fc023eb85e66717284540d80bdacd1" }, { "fixed": "1c9cce2d0b3881e5323244e91be781ad7c85668c" } ], "repo": "https://github.com/maharaproject/mahara", "type": "GIT" } ] } ], "details": "Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.", "id": "CVE-2017-17454", "modified": "2026-03-15T21:51:10.726493721Z", "published": "2018-02-20T22:29:00.223Z", "references": [ { "type": "ADVISORY", "url": "https://reviews.mahara.org/#/c/8191/" }, { "type": "ADVISORY", "url": "https://bugs.launchpad.net/mahara/+bug/1732987" }, { "type": "ADVISORY", "url": "https://mahara.org/interaction/forum/topic.php?id=8149" } ], "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }