CVE-2010-2230

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/moodle/moodle

Identifiers

GHSA-3gm8-32vv-q8mp, CVE-2010-2230

Package Slug

packagist/moodle/moodle

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

Affected Versions

All versions before 1.8.13, all versions starting from 1.9.0 before 1.9.9

Solution

Upgrade to versions 1.8.13, 1.9.9 or above.

Last Modified

2024-02-09

source