GHSA-3gm8-32vv-q8mp

Suggest an improvement
Source
https://github.com/advisories/GHSA-3gm8-32vv-q8mp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3gm8-32vv-q8mp/GHSA-3gm8-32vv-q8mp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3gm8-32vv-q8mp
Aliases
Published
2022-05-13T01:13:04Z
Modified
2024-02-07T23:12:30.800761Z
Summary
Moodle Cross-site Scripting vulnerability in the KSES text cleaning filter
Details

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

Database specific
{
    "nvd_published_at": "2010-06-28T17:30:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-07T22:53:57Z"
}
References

Affected packages

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.13

Packagist / moodle/moodle

Package

Name
moodle/moodle
Purl
pkg:composer/moodle/moodle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.9.0
Fixed
1.9.9