Lucene search

K
gentooGentoo FoundationGLSA-200803-27
HistoryMar 18, 2008 - 12:00 a.m.

MoinMoin: Multiple vulnerabilities

2008-03-1800:00:00
Gentoo Foundation
security.gentoo.org
10

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.083 Low

EPSS

Percentile

94.4%

Background

MoinMoin is an advanced, easy to use and extensible Wiki Engine.

Description

Multiple vulnerabilities have been discovered:

  • A vulnerability exists in the file wikimacro.py because the _macro_Getval function does not properly enforce ACLs (CVE-2008-1099).
  • A directory traversal vulnerability exists in the userform action (CVE-2008-0782).
  • A Cross-Site Scripting vulnerability exists in the login action (CVE-2008-0780).
  • Multiple Cross-Site Scripting vulnerabilities exist in the file action/AttachFile.py when using the message, pagename, and target filenames (CVE-2008-0781).
  • Multiple Cross-Site Scripting vulnerabilities exist in formatter/text_gedit.py (aka the gui editor formatter) which can be exploited via a page name or destination page name, which trigger an injection in the file PageEditor.py (CVE-2008-1098).

Impact

These vulnerabilities can be exploited to allow remote attackers to inject arbitrary web script or HTML, overwrite arbitrary files, or read protected pages.

Workaround

There is no known workaround at this time.

Resolution

All MoinMoin users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apps/moinmoin-1.6.1"
OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-apps/moinmoin< 1.6.1UNKNOWN

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.083 Low

EPSS

Percentile

94.4%