CVE-2008-1502 — Cross-site Scripting in Moodle

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

1.1%

top 22.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Moodle Debian Wordpress +1 more

Timeline

PublishedMar 25

Latest updateMay 1

Description

The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages5 packages

▶Packagistmoodle/moodle< 1.8.5

▶NVDmoodle/moodle1.8.4+35

▶NVDegroupware/egroupware1.4.002+6

▶debiandebian/wordpress< wordpress 2.5.0-1 (bookworm)

▶Debianwordpress/wordpress< 2.5.0-1+3

Patches

Patch: docs.moodle.org ↗Patch: www.debian.org ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

Moodle vulnerable to Cross-site scripting↗2022-05-01

▶

OSV

Moodle vulnerable to Cross-site scripting↗2022-05-01

▶

OSV

CVE-2008-1502: The _bad_protocol_once function in phpgwapi/inc/class↗2008-03-25

▶

📋Vendor Advisories

Ubuntu

Moodle vulnerability↗2008-10-23

▶

Red Hat

moodle: KSES related XSS issue↗2008-04-16

▶

Debian

CVE-2008-1502: wordpress - The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as u...↗2008

▶

💬Community

Bugzilla

CVE-2008-1502 moodle: KSES related XSS issue↗2008-07-07

▶