CVE-2010-2230 — Cross-site Scripting in Moodle

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

4.0MEDIUMNVD

EPSS

0.4%

top 39.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Moodle Debian Wordpress

Timeline

PublishedJun 28

Latest updateMay 13

Description

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages4 packages

▶Packagistmoodle/moodle1.9.0 — 1.9.9+1

▶NVDmoodle/moodle1.8.12+52

▶debiandebian/wordpress< wordpress 3.0.4+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 3.0.4+dfsg-1+3

Patches

Patch: cvs.moodle.org ↗Patch: cvs.moodle.org ↗Patch: cvs.moodle.org ↗

🔴Vulnerability Details

GHSA

Moodle Cross-site Scripting vulnerability in the KSES text cleaning filter↗2022-05-13

▶

OSV

Moodle Cross-site Scripting vulnerability in the KSES text cleaning filter↗2022-05-13

▶

OSV

CVE-2010-2230: The KSES text cleaning filter in lib/weblib↗2010-06-28

▶

📋Vendor Advisories

Debian

CVE-2010-2230: wordpress - The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9....↗2010

▶

💬Community

Bugzilla

CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231 moodle: multiple security fixes in upstream 1.9.9/1.8.13↗2010-06-18

▶