Description
The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.
Remediation
References
Related Vulnerabilities
WordPress Plugin Simple Dropbox Upload Arbitrary File Upload (1.8.8)
Serendipity Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-5476)
Apache Tomcat Improper Handling of Exceptional Conditions Vulnerability (CVE-2017-5664)
Moodle Other Vulnerability (CVE-2007-1429)
WordPress Plugin WooCommerce Checkout Manager Cross-Site Request Forgery (4.3)