CVE-2008-1502

eGroupWare < 1.4.003 and Moodle < 1.8.5 - Cross-Site Scripting via Crafted URL Protocols

Title source: llm

Description

The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.

References (21)

Core 21

Core References

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29491

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31017

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/32400

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00006.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/32446

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2009/dsa-1871

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/30986

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/41435

Exploit x_refsource_misc

http://www.egroupware.org/viewvc/branches/1.4/phpgwapi/inc/class.kses.inc.php?r1=23625&r2=25110&pathrev=25110

Vendor Advisory vendor-advisory x_refsource_fedora

https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00331.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31018

Vendor Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/658-1/

Patch, Vendor Advisory x_refsource_confirm

http://docs.moodle.org/en/Release_Notes#Moodle_1.8.5

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2008/07/08/14

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/30073

Various Sources x_refsource_confirm

http://www.egroupware.org/changelog

Patch vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/28424

Third Party Advisory vendor-advisory x_refsource_gentoo

http://www.gentoo.org/security/en/glsa/glsa-200805-04.xml

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/0989/references

Patch vendor-advisory x_refsource_debian

http://www.debian.org/security/2008/dsa-1691

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31167

Scores

EPSS 0.0109

EPSS Percentile 78.2%

Details

CWE

CWE-79

Status published

Products (44)

egroupware/egroupware 1.0

egroupware/egroupware 1.0.1

egroupware/egroupware 1.0.3

egroupware/egroupware 1.0.6

egroupware/egroupware 1.2.106-2

egroupware/egroupware 1.4.001

egroupware/egroupware < 1.4.002

moodle/moodle 1.1.1

moodle/moodle 1.2.0

moodle/moodle 1.2.1

... and 34 more

Published Mar 25, 2008

Tracked Since Feb 18, 2026