CVE-2010-1619
Description
Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting (XSS) vulnerability in Moodle's KSES HTML cleaning library allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities, affecting versions 1.8.x before 1.8.12 and 1.9.x before 1.9.8.
Vulnerability
The fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php), used in Moodle, contains a cross-site scripting (XSS) vulnerability. This issue affects Moodle versions 1.8.x before 1.8.12 and 1.9.x before 1.9.8 [1]. The vulnerability allows an attacker to bypass the intended HTML sanitization by providing crafted HTML entities that are not properly handled during the cleaning process [2].
Exploitation
An attacker can exploit this vulnerability by sending crafted HTML entities to any component in Moodle that processes user-supplied text through the KSES library. No special network position or authentication is required if the targeted component is accessible to unauthenticated users; however, in many contexts, the attacker may need to be a logged-in user with permission to submit content (e.g., forum posts, comments). The attack does not require user interaction beyond the victim viewing the crafted content [1].
Impact
Successful exploitation results in arbitrary web script or HTML injection into the context of the Moodle application. This can lead to session theft, credential harvesting, defacement, or other client-side attacks performed against other users who view the affected content. The attacker's code executes in the victim's browser within the security context of the vulnerable Moodle site [1].
Mitigation
Moodle fixed this vulnerability in versions 1.8.12 and 1.9.8 [1]. Administrators should upgrade to these or later releases. No workarounds have been published, and the issue is not listed in the Known Exploited Vulnerabilities Catalog. The Moodle project provides open-source downloads and documentation for upgrading [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | >= 1.8.0, < 1.8.12 | 1.8.12 |
moodle/moodlePackagist | >= 1.9.0, < 1.9.8 | 1.9.8 |
Affected products
20cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*+ 18 more
- cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*
- (no CPE)range: >= 1.8.0, < 1.8.12; >= 1.9.0, < 1.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.