Description
The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.
Remediation
References
Related Vulnerabilities
Oracle Application Server Other Vulnerability (CVE-2002-1631)
PHP Use of Externally-Controlled Format String Vulnerability (CVE-2011-1153)
XWiki Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-50723)
WordPress Plugin WP Statistics Cross-Site Scripting (8.3)
WordPress Plugin Loco Translate Local File Inclusion (2.2.1)