Some vulnerabilities have been reported in Mahara, which can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks.

1) Input passed to the "resume blocktype" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) The application does not properly restrict institution administrators from resetting the site administrator's password, which can be exploited to e.g. gain escalated privileges.

Update to version 1.0.13 or 1.1.7.
http://eduforge.org/frs/?group_id=176