Description

The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.

Remediation

References

CVE-2008-1502

Related Vulnerabilities

PHP Out-of-bounds Read Vulnerability (CVE-2019-9021)

WordPress Plugin WatchMan-Site7 Cross-Site Request Forgery (3.0.2)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-3274)

WordPress Plugin Author Bio Box Cross-Site Scripting (3.3.1)

WordPress Plugin Smart Google Code Inserter Multiple Vulnerabilities (3.4)

Severity

Medium

Classification

CVE-2008-1502 CWE-707

Tags

Missing Update Known Vulnerabilities