fkie_nvd - fkie_cve-2012-6037

fkie_cve-2012-6037

Vulnerability from fkie_nvd

Published

2012-11-24 20:55

Modified

2025-04-11 00:51

Severity ?

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4, and other versions including 1.2, allow remote attackers to inject arbitrary web script or HTML via a CSV header with "unknown fields," which are not properly handled in error messages in the (1) bulk user, (2) group, and (3) group member upload capabilities. NOTE: this issue was originally part of CVE-2012-2243, but that ID was SPLIT due to different issues by different researchers.

References

URL	Tags
cve@mitre.org	http://www.debian.org/security/2012/dsa-2591
cve@mitre.org	https://bugs.launchpad.net/mahara/+bug/1063480
cve@mitre.org	https://mahara.org/interaction/forum/topic.php?id=4937	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2012/dsa-2591
af854a3a-2127-422b-91ae-364da2661108	https://bugs.launchpad.net/mahara/+bug/1063480
af854a3a-2127-422b-91ae-364da2661108	https://mahara.org/interaction/forum/topic.php?id=4937	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
mahara	mahara	1.4
mahara	mahara	1.4
mahara	mahara	1.4
mahara	mahara	1.4
mahara	mahara	1.4.0
mahara	mahara	1.4.1
mahara	mahara	1.4.2
mahara	mahara	1.4.3
mahara	mahara	1.4.4
mahara	mahara	1.5
mahara	mahara	1.5
mahara	mahara	1.5.0
mahara	mahara	1.5.1
mahara	mahara	1.5.2
mahara	mahara	1.5.3

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E59B9197-F3A7-48FE-B4EB-66E77477F119",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.4:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "76ADB798-ECDF-400A-812B-8DA40DE652B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.4:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "621775F5-0256-4D4E-8F75-74F116029346",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.4:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "06BD6041-32C5-4470-A710-E8ACDD90A719",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E564972A-F44F-4935-BE50-8CB8A3F6483A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A782949D-9F8D-4852-AA20-5E866C895CEB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E05D9E1E-E2EE-43C4-993A-F140B83493AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF97D77B-B448-407C-A545-F939C1C75B4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A1DE181-B75C-49B1-AA87-0F0BA090E23B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "78E1C65F-C3F8-41B3-BFE5-9DB40B0FF7C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.5:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "9DB9744B-7694-41D9-B1A7-184AF5B90B9D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF1351BA-7AF2-4675-9BC3-6AB9786A361D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1ECA8058-4E47-45CC-98FB-66F1635D4EB4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "82CA353E-6A25-4170-B32C-E06F0FFC0AE8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mahara:mahara:1.5.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DACA0DE-26D8-41C8-92DE-63CC348C6BB7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4, and other versions including 1.2, allow remote attackers to inject arbitrary web script or HTML via a CSV header with \"unknown fields,\" which are not properly handled in error messages in the (1) bulk user, (2) group, and (3) group member upload capabilities.  NOTE: this issue was originally part of CVE-2012-2243, but that ID was SPLIT due to different issues by different researchers."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en Mahara v1.4.x anterior a v1.4.5 y v1.5.x anterior a v1.5.4, y otras versiones incluida la v1.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de una cabecera CSV con \"unknown fields,\" el cual no es correctamente manejado en mensajes de error en las propiedades de (1) user, (2) grupo y (3) miembro de grupo. NOTA: esta vulnerabilidad fue en un principio parte del CVE-2012-2243, pero dicho ID fue dividido debido a diferentes asuntos con diferentes investigadores."
    }
  ],
  "id": "CVE-2012-6037",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2012-11-24T20:55:04.367",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://www.debian.org/security/2012/dsa-2591"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://bugs.launchpad.net/mahara/+bug/1063480"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://mahara.org/interaction/forum/topic.php?id=4937"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2012/dsa-2591"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugs.launchpad.net/mahara/+bug/1063480"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://mahara.org/interaction/forum/topic.php?id=4937"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2012-6037 (GCVE-0-2012-6037)

Vulnerability from cvelistv5

Published

2012-11-24 20:00

Modified

2024-08-06 21:21