CVE-2008-3326
Description
Cross-site scripting (XSS) vulnerability in blog/edit.php in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to inject arbitrary web script or HTML via the etitle parameter (blog entry title).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Moodle blog entry title allows attackers to inject arbitrary script, affecting versions 1.6.x before 1.6.7 and 1.7.x before 1.7.5.
Vulnerability
The blog/edit.php script in Moodle versions 1.6.x before 1.6.7 and 1.7.x before 1.7.5 fails to sanitize the etitle parameter (blog entry title), allowing injection of arbitrary web script or HTML. [1]
Exploitation
An attacker with a valid Moodle account can create a new blog entry and set the title to a malicious payload, such as ``. The payload is stored and executed when other users view the blog entry. [1]
Impact
Successful exploitation results in stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the context of any user viewing the affected blog entry, potentially leading to session hijacking, cookie theft, or other client-side attacks. [1]
Mitigation
Upgrade to Moodle version 1.6.7 or 1.7.5, which contain the fix. No workaround is documented in the available references. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12cpe:2.3:a:moodle:moodle:1.6.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:moodle:moodle:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.4:*:*:*:*:*:*:*
- (no CPE)range: >=1.6, <1.6.7 or >=1.7, <1.7.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- www.procheckup.com/Vulnerability_PR08-13.phpnvdExploit
- lists.opensuse.org/opensuse-security-announce/2008-08/msg00001.htmlnvd
- moodle.org/mod/forum/discuss.phpnvd
- secunia.com/advisories/31196nvd
- secunia.com/advisories/31339nvd
- www.debian.org/security/2008/dsa-1691nvd
- www.securityfocus.com/archive/1/494656/100/0/threadednvd
- www.securityfocus.com/bid/30348nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/43961nvd
- www.exploit-db.com/exploits/6653nvd
News mentions
0No linked articles in our index yet.