{"id":"CVE-2017-17454","details":"Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before 17.10.2 have a Cross Site Scripting (XSS) vulnerability when a user enters invalid UTF-8 characters. These are now going to be discarded in Mahara along with NULL characters and invalid Unicode characters. Mahara will also avoid direct $_GET and $_POST usage where possible, and instead use param_exists() and the correct param_*() function to fetch the expected value.","modified":"2026-03-15T22:24:08.771005Z","published":"2018-02-20T22:29:00.223Z","references":[{"type":"ADVISORY","url":"https://reviews.mahara.org/#/c/8191/"},{"type":"ADVISORY","url":"https://bugs.launchpad.net/mahara/+bug/1732987"},{"type":"ADVISORY","url":"https://mahara.org/interaction/forum/topic.php?id=8149"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/maharaproject/mahara","events":[{"introduced":"2d4a3b547ca5aa058a975f870f21ddf64fc840db"},{"fixed":"07d65ee9e2aec6a198371467ac7919e710ab0448"},{"introduced":"c1b8e4e448228b12a674c205a7288389613271e7"},{"fixed":"8d0b45c841df6d94d1c401e8efd3b6665a6fea59"},{"introduced":"7e3e132425fc023eb85e66717284540d80bdacd1"},{"fixed":"1c9cce2d0b3881e5323244e91be781ad7c85668c"}],"database_specific":{"versions":[{"introduced":"16.10.0"},{"fixed":"16.10.7"},{"introduced":"17.04.0"},{"fixed":"17.04.5"},{"introduced":"17.10.0"},{"fixed":"17.10.2"}]}}],"versions":["16.10.0_RELEASE","16.10.1_RELEASE","16.10.2_RELEASE","16.10.3_RELEASE","16.10.4_RELEASE","16.10.5_RELEASE","16.10.6_RELEASE","17.04.0_RELEASE","17.04.1_RELEASE","17.04.2_RELEASE","17.04.3_RELEASE","17.04.4_RELEASE","17.10.0_RELEASE","17.10.1_RELEASE"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-17454.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}