VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 28, 2010· Updated Apr 29, 2026

CVE-2010-2228

CVE-2010-2228

Description

Cross-site scripting (XSS) vulnerability in the MNET access-control interface in Moodle before 1.8.13 and 1.9.x before 1.9.9 allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

XSS in Moodle MNET access-control interface allows arbitrary script injection via specially crafted usernames.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the MNET access-control interface of Moodle before versions 1.8.13 and 1.9.9 [2][3]. The issue is triggered by extended characters in a username, which are not properly sanitized, allowing an attacker to inject arbitrary web script or HTML [1][3]. Affected versions are all Moodle installations prior to 1.8.13 and 1.9.x prior to 1.9.9.

Exploitation

An attacker must have the ability to supply a username containing extended characters, such as through user registration or profile editing [1]. The crafted username is then displayed within the MNET access-control interface without proper encoding, causing the injected script to execute in the browser of any administrator or user who views the affected page [1][3]. No additional privileges or user interaction beyond viewing the page are required for the XSS to trigger.

Impact

Successful exploitation allows a remote attacker to execute arbitrary web script or HTML in the context of the victim's session [1][2]. This can lead to session hijacking, defacement, or theft of sensitive data presented in the admin interface, potentially compromising the entire Moodle site [1]. The scope is confined to the browser of the victim, but the attacker can perform administrative actions on behalf of an authenticated administrator.

Mitigation

Moodle released fixed versions 1.8.13 and 1.9.9 on June 18, 2010, which patch this vulnerability [2][3]. Administrators should upgrade to these or later versions immediately. There is no known workaround for earlier, unpatched installations. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. About Secunia Research | Flexera
  2. 605809 – (CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231) CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231 moodle: multiple security fixes in upstream 1.9.9/1.8.13
  3. security - Re: CVE request: moodle 1.9.9/1.8.13 multiple vulnerabilities

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

54
  • Moodle/Moodle54 versions
    cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 53 more
    • cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=1.8.12
    • cpe:2.3:a:moodle:moodle:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.11:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.8:*:*:*:*:*:*:*
    • (no CPE)range: <1.8.13 or >=1.9.0 <1.9.9

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

14

News mentions

0

No linked articles in our index yet.