Moodle Cross-site Scripting vulnerability in the KSES text cleaning filter
Moderate severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Feb 7, 2024
Package
Affected versions
< 1.8.13
>= 1.9.0, < 1.9.9
Patched versions
1.8.13
1.9.9
Description
Published by the National Vulnerability Database
Jun 28, 2010
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Feb 7, 2024
Last updated
Feb 7, 2024
The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.
References