CVE-2010-2230

Name	CVE-2010-2230
Description	The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2115-1
Debian Bugs	586280

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
wordpress (PTS)	bullseye (security), bullseye	5.7.11+dfsg1-0+deb11u1	fixed
	bookworm, bookworm (security)	6.1.6+dfsg1-0+deb12u1	fixed
	trixie	6.8.1+dfsg1-1	fixed
	forky, sid	6.8.3+dfsg1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
egroupware	source	(unstable)	(not affected)
moodle	source	lenny	1.8.13-1	DSA-2115-1
moodle	source	(unstable)	1.9.9-1		586280
wordpress	source	lenny	(not affected)
wordpress	source	(unstable)	3.0.4+dfsg-1

[lenny] - wordpress <not-affected> (2.x version is not affected)
- egroupware <not-affected> (Only forks a minor subset of KSES)