VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 10, 2009· Updated Apr 23, 2026

CVE-2009-0500

CVE-2009-0500

Description

Cross-site scripting (XSS) vulnerability in course/lib.php in Moodle 1.6 before 1.6.9, 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4 allows remote attackers to inject arbitrary web script or HTML via crafted log table information that is not properly handled when it is displayed in a log report.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site scripting vulnerability in Moodle's course/lib.php allows remote attackers to inject arbitrary web script via crafted log table entries.

Vulnerability

The vulnerability exists in course/lib.php in Moodle versions prior to 1.6.9, 1.7.7, 1.8.8, and 1.9.4. It is a cross-site scripting (XSS) flaw where log table information is insufficiently sanitized before being displayed in log reports. Crafted log entries can contain arbitrary web script or HTML that is executed in the context of the viewer's browser.

Exploitation

An attacker can inject malicious script by creating or manipulating log entries, for example by sending specially crafted data that gets logged. They do not require authentication if the logging mechanism is triggered by an unauthenticated action, but typically some user interaction may be needed to view the log report. The vulnerability is triggered when an administrator or other user views the log report page.

Impact

Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the victim's browser within the Moodle application's domain. This can lead to session hijacking, credential theft, or other malicious actions performed on behalf of the victim user, potentially leading to privilege escalation.

Mitigation

The issue was fixed in Moodle versions 1.6.9, 1.7.7, 1.8.8, and 1.9.4, released on February 4, 2009 [1]. Users should upgrade to these versions or later. No workarounds are provided in the reference.

References
  1. oss-security - CVS request - Moodle

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

26
  • Moodle/Moodle26 versions
    cpe:2.3:a:moodle:moodle:1.6.0:*:*:*:*:*:*:*+ 25 more
    • cpe:2.3:a:moodle:moodle:1.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
    • (no CPE)range: >=1.6, <1.6.9; >=1.7, <1.7.7; >=1.8, <1.8.8; >=1.9, <1.9.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.