CVE-2010-2230

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

Published Bysecalert@redhat.com

Published DateJun 28, 2010, 17:30

Affected Versions(2)

moodle/moodle(Packagist)

Introduced0

Fixed1.8.13

LimitN/A

moodle/moodle(Packagist)

Introduced1.9.0

Fixed1.9.9

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
moodle/moodle(Packagist)	0	1.8.13	N/A
moodle/moodle(Packagist)	1.9.0	1.9.9	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:S/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE

References

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:S/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE