Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $GET and $POST usage where possible, and instead use paramexists() and the correct param*() function to fetch the expected value.
{
"cpe": "cpe:2.3:a:mahara:mahara:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "16.10.0"
},
{
"fixed": "16.10.7"
},
{
"introduced": "17.04.0"
},
{
"fixed": "17.04.5"
},
{
"introduced": "17.10.0"
},
{
"fixed": "17.10.2"
}
],
"source": "CPE_RANGE"
}