Description

The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.

Remediation

References

CVE-2008-1502

Related Vulnerabilities

WordPress Plugin WP-SpamFree Anti-Spam 'id' Parameter SQL Injection (3.2.1)

Internet Information Services Other Vulnerability (CVE-2000-0630)

WordPress Plugin SendPress Newsletters Unspecified Vulnerability (1.7.6.11)

PHP undefined Safe_Mode_Include_Dir safemode bypass vulnerability

Joomla! Core Multiple Cross-Site Scripting Vulnerabilities (2.5.0 - 3.9.1)

Severity

Medium

Classification

CVE-2008-1502 CWE-707

Tags

Missing Update Known Vulnerabilities