CVE-2010-2230

medium

Published 2010-06-28 · Modified 2024-02-07

CVSS v3

—

CVSS v2

4.0

VIR risk

4.0

Description

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2010-2230

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://www.vupen.com/english/advisories/2010/1571

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://www.vupen.com/english/advisories/2010/1530

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/40352

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/40248

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.171&r2=1.970.2.172

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.114&r2=1.812.2.115

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`3.0.4+dfsg-1`
debian	bullseye	fixed	`3.0.4+dfsg-1`
debian	forky	fixed	`3.0.4+dfsg-1`
debian	sid	fixed	`3.0.4+dfsg-1`
debian	trixie	fixed	`3.0.4+dfsg-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Packagist	moodle/moodle	`<1.8.13`	`1.8.13`
Packagist	moodle/moodle	`>=1.9.0,<1.9.9`	`1.9.9`

Application impact

Vendor	Product	Versions
moodle	moodle	`{"endIncluding":"1.8.12"}`
moodle	moodle	`1.1.1`
moodle	moodle	`1.2.0`
moodle	moodle	`1.2.1`
moodle	moodle	`1.3.0`
moodle	moodle	`1.3.1`
moodle	moodle	`1.3.2`
moodle	moodle	`1.3.3`
moodle	moodle	`1.3.4`
moodle	moodle	`1.4.1`
moodle	moodle	`1.4.2`
moodle	moodle	`1.4.3`
moodle	moodle	`1.4.4`
moodle	moodle	`1.4.5`
moodle	moodle	`1.5`
moodle	moodle	`1.5.0`
moodle	moodle	`1.5.1`
moodle	moodle	`1.5.2`
moodle	moodle	`1.5.3`
moodle	moodle	`1.6.0`
moodle	moodle	`1.6.1`
moodle	moodle	`1.6.2`
moodle	moodle	`1.6.3`
moodle	moodle	`1.6.4`
moodle	moodle	`1.6.5`
moodle	moodle	`1.6.6`
moodle	moodle	`1.6.7`
moodle	moodle	`1.6.8`
moodle	moodle	`1.7.1`
moodle	moodle	`1.7.2`
moodle	moodle	`1.7.3`
moodle	moodle	`1.7.4`
moodle	moodle	`1.7.5`
moodle	moodle	`1.7.6`
moodle	moodle	`1.8.1`
moodle	moodle	`1.8.2`
moodle	moodle	`1.8.3`
moodle	moodle	`1.8.4`
moodle	moodle	`1.8.5`
moodle	moodle	`1.8.6`
moodle	moodle	`1.8.7`
moodle	moodle	`1.8.8`
moodle	moodle	`1.8.9`
moodle	moodle	`1.8.10`
moodle	moodle	`1.8.11`
moodle	moodle	`1.9.1`
moodle	moodle	`1.9.2`
moodle	moodle	`1.9.3`
moodle	moodle	`1.9.4`
moodle	moodle	`1.9.5`
moodle	moodle	`1.9.6`
moodle	moodle	`1.9.7`
moodle	moodle	`1.9.8`

References

CWEs

CWE-79

Verify integrity in audit chain (admin only). AS-IS.