Description
The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.
Remediation
References
Related Vulnerabilities
WordPress Plugin WPUpper Share Buttons Cross-Site Scripting (3.42)
Chamilo Server-Side Request Forgery (SSRF) Vulnerability (CVE-2026-31941)
WordPress 5.2.x Multiple Vulnerabilities (5.2 - 5.2.5)
WordPress 5.2.x Prototype Pollution (5.2 - 5.2.14)
WordPress Plugin Add Link to Facebook Cross-Site Scripting (2.2.7)