Description

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

Remediation

References

CVE-2010-2230

Related Vulnerabilities

WordPress Plugin Users to CSV Cross-Site Request Forgery (1.4.5)

Drupal Improper Access Control Vulnerability (CVE-2015-2559)

PHP Resource Management Errors Vulnerability (CVE-2006-1549)

XOOPS Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2008-0613)

Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2009-3946)

Severity

Medium

Classification

CVE-2010-2230 CWE-707

Tags

Missing Update Known Vulnerabilities