VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 28, 2010· Updated Apr 29, 2026

CVE-2010-2230

CVE-2010-2230

Description

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site scripting vulnerability in Moodle's KSES filter allows authenticated users to inject arbitrary JavaScript via vbscript URIs.

Vulnerability

The KSES text cleaning filter in lib/weblib.php in Moodle before versions 1.8.13 and 1.9.x before 1.9.9 fails to properly handle vbscript URIs. This allows remote authenticated users to bypass the HTML filtering mechanism and inject arbitrary HTML or script code. The vulnerability affects all Moodle installations running the affected versions where the KSES filter is enabled [1][2][4].

Exploitation

An attacker must have a valid authenticated user account on the Moodle site. By crafting malicious HTML input that includes a vbscript URI, the attacker can bypass the KSES filter. The malicious input is processed by the filter, which does not sanitize the vbscript protocol, leading to the execution of attacker-controlled script in the context of the victim's browser [1][4].

Impact

Successful exploitation enables cross-site scripting (XSS) attacks, allowing the attacker to execute arbitrary JavaScript in the browser of other users viewing the crafted content. This can lead to disclosure of sensitive information, session hijacking, or other actions performed on behalf of the authenticated victim [1][4].

Mitigation

Moodle fixed this vulnerability in versions 1.8.13 and 1.9.9, released in June 2010. Administrators should upgrade immediately to these or later versions. No workarounds are documented, and the product version is now end-of-life; no further security patches are expected [2][3][4].

References
  1. NVD - CVE-2010-2230
  2. About Secunia Research | Flexera
  3. 605809 – (CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231) CVE-2010-2228, CVE-2010-2229, CVE-2010-2230, CVE-2010-2231 moodle: multiple security fixes in upstream 1.9.9/1.8.13
  4. Moodle Multiple Vulnerabilities - Advisories - Community

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
< 1.8.131.8.13
moodle/moodlePackagist
>= 1.9.0, < 1.9.91.9.9

Affected products

55
  • Moodle/Moodle54 versions
    cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*+ 53 more
    • cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*range: <=1.8.12
    • cpe:2.3:a:moodle:moodle:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.4.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.6.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.11:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:moodle:moodle:1.9.8:*:*:*:*:*:*:*
    • (no CPE)range: <1.8.13 for 1.8.x, <1.9.9 for 1.9.x
  • ghsa-coords
    pkg:composer/moodle/moodle
    Range: < 1.8.13

Patches

1
704c5dfed4f4

MDL-22042 fixed kses cleaning of html code

https://github.com/moodle/moodlePetr SkodaJun 3, 2010via ghsa
commit
1 file changed · +1 0
  • lib/weblib.php+1 0 modified
    @@ -1574,6 +1574,7 @@ function cleanAttributes2($htmlArray){
                 }
             }
             $arreach['value'] = preg_replace("/j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t/i", "Xjavascript", $arreach['value']);
+            $arreach['value'] = preg_replace("/v\s*b\s*s\s*c\s*r\s*i\s*p\s*t/i", "Xvbscript", $arreach['value']);
             $arreach['value'] = preg_replace("/e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n/i", "Xexpression", $arreach['value']);
             $arreach['value'] = preg_replace("/b\s*i\s*n\s*d\s*i\s*n\s*g/i", "Xbinding", $arreach['value']);
         } else if ($arreach['name'] == 'href') {

Vulnerability mechanics

Root cause

"Missing sanitization of vbscript URIs in the KSES HTML cleaning filter allows injection of executable script URIs."

Attack vector

An authenticated user with permission to submit HTML input (e.g., forum posts, wiki pages) crafts an element attribute containing a `vbscript:` URI. Because the KSES filter in `lib/weblib.php` [patch_id=18396] only strips `javascript:`, `expression:`, and `binding:` URIs but not `vbscript:` URIs, the malicious attribute passes through unmodified. When a victim views the page, Internet Explorer (which supports the vbscript protocol) executes the attacker's script in the victim's session context, achieving cross-site scripting [CWE-79].

Affected code

The vulnerability resides in the `cleanAttributes2` function within `lib/weblib.php`. This function sanitizes HTML attribute values but only strips `javascript:`, `expression:`, and `binding:` URI schemes, leaving `vbscript:` URIs untouched [patch_id=18396].

What the fix does

The patch adds a single line to the `cleanAttributes2` function in `lib/weblib.php` [patch_id=18396] that applies a case-insensitive regex to replace `vbscript` (with optional whitespace between characters) with the inert string `Xvbscript`. This mirrors the existing treatment of `javascript`, `expression`, and `binding` URIs on the lines immediately above. By neutralizing the `vbscript:` protocol in the same manner, the filter now prevents attackers from using that alternative URI scheme to bypass the XSS protection.

Preconditions

  • authAttacker must be an authenticated Moodle user with permission to submit HTML content (e.g., post to forums, add wiki pages).
  • inputAttacker must include a vbscript: URI in an HTML element attribute (e.g., src, href, or event handler).
  • networkVictim must view the attacker's content using a browser that supports the vbscript protocol (primarily Internet Explorer).

Generated on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

21

News mentions

0

No linked articles in our index yet.