oss-sec mailing list archives
Re: CVE request: moodle xss in < 1.8.5
From: Nico Golde <oss-security+ml () ngolde de>
Date: Fri, 11 Jul 2008 16:45:08 +0200
Hi Hanno, * Hanno Böck <hanno () hboeck de> [2008-07-08 13:29]:
Am Sonntag 06 Juli 2008 schrieb Nico Golde:Hi Hanno, * Hanno Böck <hanno () hboeck de> [2008-07-06 19:04]:http://docs.moodle.org/en/Release_Notes#Moodle_1.8.5 * KSES related XSS security vulnerability fixedThis should be CVE-2008-1502:http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1502 is about egroupware. I found no cve related to moodle 1.8.4.
Will be update soon, the new description is: "The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols." Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- CVE request: moodle xss in < 1.8.5 Hanno Böck (Jul 06)
- Re: CVE request: moodle xss in < 1.8.5 Nico Golde (Jul 06)
- Re: CVE request: moodle xss in < 1.8.5 Hanno Böck (Jul 08)
- Re: CVE request: moodle xss in < 1.8.5 Nico Golde (Jul 08)
- Re: CVE request: moodle xss in < 1.8.5 Steven M. Christey (Jul 08)
- Re: CVE request: moodle xss in < 1.8.5 Nico Golde (Jul 08)
- Re: CVE request: moodle xss in < 1.8.5 Nico Golde (Jul 11)
- Re: CVE request: moodle xss in < 1.8.5 Hanno Böck (Jul 08)
- Re: CVE request: moodle xss in < 1.8.5 Nico Golde (Jul 06)