CVE-2010-2229
Description
Multiple cross-site scripting (XSS) vulnerabilities in blog/index.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Moodle before 1.8.13 and 1.9.x before 1.9.9 contain XSS in blog/index.php via unspecified parameters, allowing injection of arbitrary web script or HTML.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in blog/index.php in Moodle versions before 1.8.13 and 1.9.x before 1.9.9. The vulnerability allows remote attackers to inject arbitrary web script or HTML via unspecified parameters [1][2]. These issues were addressed in the upstream Moodle 1.9.9/1.8.13 security releases [2].
Exploitation
An attacker can exploit this by sending a crafted HTTP request to the blog/index.php script with malicious script or HTML in the unspecified parameters. No advanced access or authentication is needed; the attacker only needs to convince a target user to visit the crafted URL (user interaction required). The attack is conducted via the web interface, and the injected payload will execute in the context of the victim's browser when the page is rendered [1][2].
Impact
Successful exploitation leads to arbitrary web script or HTML execution in the victim's browser, potentially resulting in session hijacking, credential theft, or other client-side attacks. The attacker gains the ability to manipulate the page content and perform actions as the targeted user, leading to information disclosure and potential privilege escalation within the Moodle application [1][2].
Mitigation
Moodle has released versions 1.8.13 and 1.9.9 which fix these XSS vulnerabilities [1][2]. Users should upgrade to the fixed versions as soon as possible. Workarounds are not documented in the available references, but hardening web application firewalls to filter XSS payloads may provide temporary protection. There is no known inclusion in the CISA KEV catalog for this CVE.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
54cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 53 more
- cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=1.8.12
- cpe:2.3:a:moodle:moodle:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5.0:beta:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:1.9.8:*:*:*:*:*:*:*
- (no CPE)range: <1.8.13, <1.9.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- cvs.moodle.org/moodle/blog/lib.phpnvdPatch
- cvs.moodle.org/moodle/blog/lib.phpnvdPatch
- www.vupen.com/english/advisories/2010/1530nvdPatchVendor Advisory
- secunia.com/advisories/40248nvdVendor Advisory
- secunia.com/advisories/40352nvdVendor Advisory
- www.vupen.com/english/advisories/2010/1571nvdVendor Advisory
- docs.moodle.org/en/Moodle_1.8.13_release_notesnvd
- docs.moodle.org/en/Moodle_1.9.9_release_notesnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-June/043285.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-June/043291.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2010-June/043340.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.htmlnvd
- moodle.org/mod/forum/discuss.phpnvd
- tracker.moodle.org/browse/MDL-22631nvd
- www.openwall.com/lists/oss-security/2010/06/21/2nvd
- bugzilla.redhat.com/show_bug.cginvd
News mentions
0No linked articles in our index yet.