4.3

CVE-2008-1502

Exploit
The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EgroupwareEgroupware Version <= 1.4.002
EgroupwareEgroupware Version1.0
EgroupwareEgroupware Version1.0.1
EgroupwareEgroupware Version1.0.3
EgroupwareEgroupware Version1.0.6
EgroupwareEgroupware Version1.2.106-2
EgroupwareEgroupware Version1.4.001
MoodleMoodle Version <= 1.8.4
MoodleMoodle Version1.1.1
MoodleMoodle Version1.2.0
MoodleMoodle Version1.2.1
MoodleMoodle Version1.3.0
MoodleMoodle Version1.3.1
MoodleMoodle Version1.3.2
MoodleMoodle Version1.3.3
MoodleMoodle Version1.3.4
MoodleMoodle Version1.4.1
MoodleMoodle Version1.4.2
MoodleMoodle Version1.4.3
MoodleMoodle Version1.4.4
MoodleMoodle Version1.4.5
MoodleMoodle Version1.5
MoodleMoodle Version1.5.0 Updatebeta
MoodleMoodle Version1.5.1
MoodleMoodle Version1.5.2
MoodleMoodle Version1.5.3
MoodleMoodle Version1.6.0
MoodleMoodle Version1.6.1
MoodleMoodle Version1.6.2
MoodleMoodle Version1.6.3
MoodleMoodle Version1.6.4
MoodleMoodle Version1.6.5
MoodleMoodle Version1.6.6
MoodleMoodle Version1.6.7
MoodleMoodle Version1.7.1
MoodleMoodle Version1.7.2
MoodleMoodle Version1.7.3
MoodleMoodle Version1.7.4
MoodleMoodle Version1.7.5
MoodleMoodle Version1.7.6
MoodleMoodle Version1.8.1
MoodleMoodle Version1.8.2
MoodleMoodle Version1.8.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 10.5% 0.952
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://www.debian.org/security/2008/dsa-1691
Patch
http://docs.moodle.org/en/Release_Notes#Moodle_1.8.5
Patch
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00006.html
http://secunia.com/advisories/29491
Vendor Advisory
http://secunia.com/advisories/30073
Vendor Advisory
http://secunia.com/advisories/30986
Vendor Advisory
http://secunia.com/advisories/31017
Vendor Advisory
http://secunia.com/advisories/31018
Vendor Advisory
http://secunia.com/advisories/31167
http://secunia.com/advisories/32400
Vendor Advisory
http://secunia.com/advisories/32446
Vendor Advisory
http://www.debian.org/security/2009/dsa-1871
http://www.egroupware.org/changelog
http://www.egroupware.org/viewvc/branches/1.4/phpgwapi/inc/class.kses.inc.php?r1=23625&r2=25110&pathrev=25110
Exploit
http://www.gentoo.org/security/en/glsa/glsa-200805-04.xml
http://www.openwall.com/lists/oss-security/2008/07/08/14
http://www.securityfocus.com/bid/28424
Patch
http://www.vupen.com/english/advisories/2008/0989/references
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/41435
https://usn.ubuntu.com/658-1/
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00331.html