This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 454246 - (CVE-2008-1502) CVE-2008-1502 moodle: KSES related XSS issue
CVE-2008-1502 moodle: KSES related XSS issue
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 454247
  Show dependency treegraph
Reported: 2008-07-07 03:28 EDT by Tomas Hoger
Modified: 2016-03-04 06:49 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-09 02:51:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-07 03:28:14 EDT
Quoting Moodle security advisory MSA-08-0008:

During internal code review performed by, some weaknesses were
discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses
are part of many popular projects, including WordPress, Moodle, Drupal,
eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from
cross-site scripting to code execution, depending on implementation.


There is a new option "Use HTML Purifier" in 1.9, it uses a different
whitelisting technique which is considered to be much safer than KSES.

Upstream advisory:

Fixed upstream in: 1.8.5, 1.9

Upstream patches (1.8.x CVS branch):

F-9 and Rawhide are already using 1.9.  F-8 should probably be updated to 1.8.5
or patches above can be applied.
Comment 2 Fedora Update System 2008-07-07 10:38:52 EDT
moodle-1.8.5-1.fc8 has been submitted as an update for Fedora 8
Comment 3 Fedora Update System 2008-07-08 22:49:58 EDT
moodle-1.8.5-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Red Hat Product Security 2008-07-09 02:51:24 EDT
This issue was addressed in:


Note You need to log in before you can comment on or make changes to this bug.