Bug Title: Potential attack vector via registration form Bug ID: 1697308 Reported By: Robert Lyon Reported Date: 2017-06-11 CVE Reference: CVE-2017-9551 Affected Versions: - Mahara 15.04 - Mahara 16.04 - Mahara 16.10 - Mahara 17.04 - Mahara 17.10 Status: Fix Released Importance: High Assigned To: Robert Lyon Milestone: Mahara 17.10.0 Bug Description: - An attacker can submit potential dangerous payload to be saved as their name in the usr_registration table. - The values are then also emailed out to the user and admin. - If accepted, the payload becomes part of the new user's account. - The submitted values from the form need to be cleaned up to remove any HTML tags and Javascript code. Security Update: The registration form information has been sanitized to avoid potential hacking vectors.