CVE-2010-1614
Description
Multiple cross-site scripting (XSS) vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the Login-As feature or (2) when the global search feature is enabled, unspecified global search forms in the Global Search Engine. NOTE: vector 1 might be resultant from a cross-site request forgery (CSRF) vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 contain XSS flaws in the Login-As feature and global search forms.
Vulnerability
Moodle versions 1.8.x before 1.8.12 and 1.9.x before 1.9.8 contain multiple cross-site scripting (XSS) vulnerabilities [1]. The issues exist in the Login-As feature (vector 1) and, when the global search feature is enabled, in unspecified global search forms of the Global Search Engine (vector 2) [1]. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML [1]. Note that vector 1 might be resultant from a cross-site request forgery (CSRF) vulnerability [1].
Exploitation
An attacker can exploit these XSS vulnerabilities without requiring authentication [1]. For the Login-As vector, the attacker may need to trick a privileged user into performing a CSRF action to trigger the XSS [1]. For the global search vector, the global search feature must be enabled on the Moodle instance [1]. The attacker then crafts malicious input that, when processed by the vulnerable forms, executes arbitrary script in the context of the victim's browser [1].
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser session [1]. This can lead to session hijacking, defacement, credential theft, or other actions performed as the victim user within Moodle [1]. The impact is limited by the victim's privileges and the scope of the XSS [1].
Mitigation
Moodle has fixed these vulnerabilities in versions 1.8.12 and 1.9.8 [1]. Administrators should upgrade to these or later versions immediately [1]. No workarounds are documented in the available references [1]. The Login-As feature and global search functionality should be evaluated for additional security measures [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 1.8.0, < 1.8.12 | 1.8.12 |
moodle/moodlePackagist | >= 1.9.0, < 1.9.8 | 1.9.8 |
Affected products
20cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*
- (no CPE)range: 1.8.x < 1.8.12, 1.9.x < 1.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.