The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.
| Score | Percentile |
|---|---|
| 1.09% | 77.51% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-v759-3wr5-p294 ↗ |
| CVE | CVE-2008-1502 ↗ |
| CWE id | Name |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | moodle/moodle | < 1.8.5 | 1.8.5 | — |