CVE-2010-2230 — Moodle Cross-site Scripting vulnerability in the KSES text cleaning filter

Description

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

How to fix CVE-2010-2230

To remediate CVE-2010-2230, upgrade the affected package to a fixed version below.

Debian/wordpress—upgrade to 3.0.4+dfsg-1 or later
Packagist/moodle/moodle—upgrade to 1.8.13 or later

Is CVE-2010-2230 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.0.4+dfsg-1
from 0, < 1.8.13

References (20)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2010-2230
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2010-2230
PATCHgithub.com/moodle/moodle
WEBcvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.114&r2=1.812.2.115
WEB