Moodle vulnerable to Cross-site scripting

Description

The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2022-05-01 23:40:50 UTC
Updated
2024-02-09 15:44:58 UTC
GitHub reviewed
2024-02-09 15:44:56 UTC
NVD published
2008-03-25

EPSS Score

Score Percentile
1.09% 77.51%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer moodle/moodle < 1.8.5 1.8.5

References

cvelogic Threat Intelligence