ID FREEBSD_PKG_FC4D0AE83FA311DEA3FD0030843D3802.NASL Type nessus Reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2020-08-02T00:00:00
Description
Secunia reports :
Some vulnerabilities have been reported in MoinMoin, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Input passed to multiple parameters in action/AttachFile.py is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include("compat.inc");
if (description)
{
script_id(38764);
script_version("1.14");
script_cvs_date("Date: 2019/08/02 13:32:40");
script_cve_id("CVE-2009-0260", "CVE-2009-0312");
script_xref(name:"Secunia", value:"33593");
script_name(english:"FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)");
script_summary(english:"Checks for updated package in pkg_info output");
script_set_attribute(
attribute:"synopsis",
value:"The remote FreeBSD host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"Secunia reports :
Some vulnerabilities have been reported in MoinMoin, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Input passed to multiple parameters in action/AttachFile.py is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in the context of an affected site.
Certain input passed to security/antispam.py is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of an affected site."
);
script_set_attribute(
attribute:"see_also",
value:"http://moinmo.in/SecurityFixes"
);
# https://vuxml.freebsd.org/freebsd/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?16fc5935"
);
script_set_attribute(attribute:"solution", value:"Update the affected package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_cwe_id(79);
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:moinmoin");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"vuln_publication_date", value:"2009/01/21");
script_set_attribute(attribute:"patch_publication_date", value:"2009/05/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/14");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"FreeBSD Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("audit.inc");
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (pkg_test(save_report:TRUE, pkg:"moinmoin<1.8.2")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
{"id": "FREEBSD_PKG_FC4D0AE83FA311DEA3FD0030843D3802.NASL", "bulletinFamily": "scanner", "title": "FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)", "description": "Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user", "published": "2009-05-14T00:00:00", "modified": "2020-08-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/38764", "reporter": "This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?16fc5935", "http://moinmo.in/SecurityFixes"], "cvelist": ["CVE-2009-0312", "CVE-2009-0260"], "type": "nessus", "lastseen": "2020-08-01T02:25:03", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:moinmoin"], "cvelist": ["CVE-2009-0312", "CVE-2009-0260"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss3": {}, "description": "Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user", "edition": 17, "enchantments": {"dependencies": {"modified": "2020-07-01T02:08:23", "references": [{"idList": ["SECURITYVULNS:DOC:21261", "SECURITYVULNS:VULN:9634"], "type": "securityvulns"}, {"idList": ["FREEBSD_PKG_6A523DBAEEAB11DDAB4F0030843D3802.NASL", "FEDORA_2009-3845.NASL", "FEDORA_2009-3868.NASL", "UBUNTU_USN-716-1.NASL", "DEBIAN_DSA-1715.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:63311", "OPENVAS:136141256231063311", "OPENVAS:64241", "OPENVAS:136141256231064008", "OPENVAS:136141256231063301", "OPENVAS:63301", "OPENVAS:136141256231063881", "OPENVAS:64008", "OPENVAS:63880", "OPENVAS:136141256231064410"], "type": "openvas"}, {"idList": ["EDB-ID:32746"], "type": "exploitdb"}, {"idList": ["CVE-2009-0312", "CVE-2009-0260"], "type": "cve"}, {"idList": ["DEBIAN:DSA-1715-1:0EDF4"], "type": "debian"}, {"idList": ["USN-716-1"], "type": "ubuntu"}, {"idList": ["6A523DBA-EEAB-11DD-AB4F-0030843D3802", "FC4D0AE8-3FA3-11DE-A3FD-0030843D3802"], "type": "freebsd"}], "rev": 2}, "score": {"modified": "2020-07-01T02:08:23", "rev": 2, "value": 6.3, "vector": "NONE"}}, "hash": "22579469eda450470816f6f3617995e74a1345d7a69c7b0e956a1d2ab64729e2", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "6862963a8e92de2a8d761873a5df8b89", "key": "href"}, {"hash": "945e159d480f5f4372046b93d3e62d6e", "key": "sourceData"}, {"hash": "5502696ce328a67cecd25ff284d0cd44", "key": "published"}, {"hash": "abbd74d0177ff24389de4ab76c7b713f", "key": "title"}, {"hash": "884a23e481653055bb195b266f7a7099", "key": "description"}, {"hash": "ef6a34ef0a948a42a3e116a2fa31dc8d", "key": "pluginID"}, {"hash": "09af42d085bff372e04f2ddfbaacfea0", "key": "cvelist"}, {"hash": "02d9efb661cdd5884507d305b738b68a", "key": "reporter"}, {"hash": "ff9c8f59f94fe6a3f075ecfc40c2b1ce", "key": "cpe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "5a83a90b3b3014247b69f5a5cda20835", "key": "references"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}, {"hash": "f2612b8e00eb9a9023e994df6d8d928a", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/38764", "id": "FREEBSD_PKG_FC4D0AE83FA311DEA3FD0030843D3802.NASL", "lastseen": "2020-07-01T02:08:23", "modified": "2020-07-02T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "38764", "published": "2009-05-14T00:00:00", "references": ["http://www.nessus.org/u?16fc5935", "http://moinmo.in/SecurityFixes"], "reporter": "This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38764);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/08/02 13:32:40\");\n\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_xref(name:\"Secunia\", value:\"33593\");\n\n script_name(english:\"FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user's\nbrowser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised\nbefore being returned to the user. This can be exploited to execute\narbitrary HTML and script code in a user's browser session in the\ncontext of an affected site.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://moinmo.in/SecurityFixes\"\n );\n # https://vuxml.freebsd.org/freebsd/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?16fc5935\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:moinmoin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/01/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"moinmoin<1.8.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)", "type": "nessus", "viewCount": 1}, "differentElements": ["modified"], "edition": 17, "lastseen": "2020-07-01T02:08:23"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:moinmoin"], "cvelist": ["CVE-2009-0312", "CVE-2009-0260"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "description": "Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-10-28T20:23:46", "references": [{"idList": ["SECURITYVULNS:DOC:21261", "SECURITYVULNS:VULN:9634"], "type": "securityvulns"}, {"idList": ["FREEBSD_PKG_6A523DBAEEAB11DDAB4F0030843D3802.NASL", "FEDORA_2009-3845.NASL", "FEDORA_2009-3868.NASL", "UBUNTU_USN-716-1.NASL", "DEBIAN_DSA-1715.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:63311", "OPENVAS:136141256231063311", "OPENVAS:64241", "OPENVAS:136141256231064008", "OPENVAS:136141256231063301", "OPENVAS:63301", "OPENVAS:136141256231063881", "OPENVAS:64008", "OPENVAS:63880", "OPENVAS:136141256231064410"], "type": "openvas"}, {"idList": ["EDB-ID:32746"], "type": "exploitdb"}, {"idList": ["CVE-2009-0312", "CVE-2009-0260"], "type": "cve"}, {"idList": ["DEBIAN:DSA-1715-1:0EDF4"], "type": "debian"}, {"idList": ["USN-716-1"], "type": "ubuntu"}, {"idList": ["6A523DBA-EEAB-11DD-AB4F-0030843D3802", "FC4D0AE8-3FA3-11DE-A3FD-0030843D3802"], "type": "freebsd"}]}, "score": {"modified": "2019-10-28T20:23:46", "value": 6.3, "vector": "NONE"}}, "hash": "13750aba4847e99d771aff2e6d4c25ba9670b814e82fb3df963ec7d5e6afb1ca", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "6862963a8e92de2a8d761873a5df8b89", "key": "href"}, {"hash": "945e159d480f5f4372046b93d3e62d6e", "key": "sourceData"}, {"hash": "5502696ce328a67cecd25ff284d0cd44", "key": "published"}, {"hash": "abbd74d0177ff24389de4ab76c7b713f", "key": "title"}, {"hash": "884a23e481653055bb195b266f7a7099", "key": "description"}, {"hash": "ef6a34ef0a948a42a3e116a2fa31dc8d", "key": "pluginID"}, {"hash": "09af42d085bff372e04f2ddfbaacfea0", "key": "cvelist"}, {"hash": "02d9efb661cdd5884507d305b738b68a", "key": "reporter"}, {"hash": "ff9c8f59f94fe6a3f075ecfc40c2b1ce", "key": "cpe"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "5a83a90b3b3014247b69f5a5cda20835", "key": "references"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/38764", "id": "FREEBSD_PKG_FC4D0AE83FA311DEA3FD0030843D3802.NASL", "lastseen": "2019-10-28T20:23:46", "modified": "2019-10-02T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "38764", "published": "2009-05-14T00:00:00", "references": ["http://www.nessus.org/u?16fc5935", "http://moinmo.in/SecurityFixes"], "reporter": "This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38764);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/08/02 13:32:40\");\n\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_xref(name:\"Secunia\", value:\"33593\");\n\n script_name(english:\"FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user's\nbrowser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised\nbefore being returned to the user. This can be exploited to execute\narbitrary HTML and script code in a user's browser session in the\ncontext of an affected site.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://moinmo.in/SecurityFixes\"\n );\n # https://vuxml.freebsd.org/freebsd/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?16fc5935\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:moinmoin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/01/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"moinmoin<1.8.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)", "type": "nessus", "viewCount": 1}, "differentElements": ["modified"], "edition": 8, "lastseen": "2019-10-28T20:23:46"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2009-0312", "CVE-2009-0260"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be exploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.", "edition": 1, "enchantments": {}, "hash": "85eda2bdcc030c62532610e0532910202b934e498a6a5dd627b343f903f0ec7d", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "4ed7fe5fee22ac61551349d20999ba95", "key": "href"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "193604c21f462842a6ff331014909090", "key": "sourceData"}, {"hash": "5502696ce328a67cecd25ff284d0cd44", "key": "published"}, {"hash": "abbd74d0177ff24389de4ab76c7b713f", "key": "title"}, {"hash": "464adaa290f7456fad4cdc772331beb4", "key": "modified"}, {"hash": "e829f9bff6a2715e75d5fec049e55a1d", "key": "references"}, {"hash": "ef6a34ef0a948a42a3e116a2fa31dc8d", "key": "pluginID"}, {"hash": "09af42d085bff372e04f2ddfbaacfea0", "key": "cvelist"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "03276210b4446efb1d7117de33a1c4ee", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=38764", "id": "FREEBSD_PKG_FC4D0AE83FA311DEA3FD0030843D3802.NASL", "lastseen": "2016-09-26T17:24:14", "modified": "2014-08-14T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "38764", "published": "2009-05-14T00:00:00", "references": ["http://www.nessus.org/u?ef60af0a", "http://moinmo.in/SecurityFixes"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2014 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38764);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2014/08/14 14:19:28 $\");\n\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_xref(name:\"Secunia\", value:\"33593\");\n\n script_name(english:\"FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user's\nbrowser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised\nbefore being returned to the user. This can be exploited to execute\narbitrary HTML and script code in a user's browser session in the\ncontext of an affected site.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://moinmo.in/SecurityFixes\"\n );\n # http://www.freebsd.org/ports/portaudit/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ef60af0a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:moinmoin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/01/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"moinmoin<1.8.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:24:14"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:moinmoin"], "cvelist": ["CVE-2009-0312", "CVE-2009-0260"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be exploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.", "edition": 4, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "4c9f363573ab06e755894a5d6fdd620b8c3d6e698add6d467bb3a1edbaec6626", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "4ed7fe5fee22ac61551349d20999ba95", "key": "href"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "193604c21f462842a6ff331014909090", "key": "sourceData"}, {"hash": "5502696ce328a67cecd25ff284d0cd44", "key": "published"}, {"hash": "abbd74d0177ff24389de4ab76c7b713f", "key": "title"}, {"hash": "464adaa290f7456fad4cdc772331beb4", "key": "modified"}, {"hash": "e829f9bff6a2715e75d5fec049e55a1d", "key": "references"}, {"hash": "ef6a34ef0a948a42a3e116a2fa31dc8d", "key": "pluginID"}, {"hash": "09af42d085bff372e04f2ddfbaacfea0", "key": "cvelist"}, {"hash": "ff9c8f59f94fe6a3f075ecfc40c2b1ce", "key": "cpe"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "03276210b4446efb1d7117de33a1c4ee", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=38764", "id": "FREEBSD_PKG_FC4D0AE83FA311DEA3FD0030843D3802.NASL", "lastseen": "2018-09-01T23:42:30", "modified": "2014-08-14T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "38764", "published": "2009-05-14T00:00:00", "references": ["http://www.nessus.org/u?ef60af0a", "http://moinmo.in/SecurityFixes"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2014 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38764);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2014/08/14 14:19:28 $\");\n\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_xref(name:\"Secunia\", value:\"33593\");\n\n script_name(english:\"FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user's\nbrowser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised\nbefore being returned to the user. This can be exploited to execute\narbitrary HTML and script code in a user's browser session in the\ncontext of an affected site.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://moinmo.in/SecurityFixes\"\n );\n # http://www.freebsd.org/ports/portaudit/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ef60af0a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:moinmoin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/01/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"moinmoin<1.8.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)", "type": "nessus", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 4, "lastseen": "2018-09-01T23:42:30"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:moinmoin"], "cvelist": ["CVE-2009-0312", "CVE-2009-0260"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be exploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.", "edition": 2, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "4c9f363573ab06e755894a5d6fdd620b8c3d6e698add6d467bb3a1edbaec6626", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "4ed7fe5fee22ac61551349d20999ba95", "key": "href"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "193604c21f462842a6ff331014909090", "key": "sourceData"}, {"hash": "5502696ce328a67cecd25ff284d0cd44", "key": "published"}, {"hash": "abbd74d0177ff24389de4ab76c7b713f", "key": "title"}, {"hash": "464adaa290f7456fad4cdc772331beb4", "key": "modified"}, {"hash": "e829f9bff6a2715e75d5fec049e55a1d", "key": "references"}, {"hash": "ef6a34ef0a948a42a3e116a2fa31dc8d", "key": "pluginID"}, {"hash": "09af42d085bff372e04f2ddfbaacfea0", "key": "cvelist"}, {"hash": "ff9c8f59f94fe6a3f075ecfc40c2b1ce", "key": "cpe"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "03276210b4446efb1d7117de33a1c4ee", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=38764", "id": "FREEBSD_PKG_FC4D0AE83FA311DEA3FD0030843D3802.NASL", "lastseen": "2017-10-29T13:36:54", "modified": "2014-08-14T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "38764", "published": "2009-05-14T00:00:00", "references": ["http://www.nessus.org/u?ef60af0a", "http://moinmo.in/SecurityFixes"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2014 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38764);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2014/08/14 14:19:28 $\");\n\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_xref(name:\"Secunia\", value:\"33593\");\n\n script_name(english:\"FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user's\nbrowser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised\nbefore being returned to the user. This can be exploited to execute\narbitrary HTML and script code in a user's browser session in the\ncontext of an affected site.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://moinmo.in/SecurityFixes\"\n );\n # http://www.freebsd.org/ports/portaudit/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ef60af0a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:moinmoin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/01/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"moinmoin<1.8.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-10-29T13:36:54"}], "edition": 18, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "ff9c8f59f94fe6a3f075ecfc40c2b1ce"}, {"key": "cvelist", "hash": "09af42d085bff372e04f2ddfbaacfea0"}, {"key": "cvss", "hash": "f74a1c24e49a5ecb0eefb5e51d4caa14"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "884a23e481653055bb195b266f7a7099"}, {"key": "href", "hash": "6862963a8e92de2a8d761873a5df8b89"}, {"key": "modified", "hash": "369e92b935a6f4ab6c9cb915addb4bf4"}, {"key": "naslFamily", "hash": "fe45aa727b58c1249bf04cfb7b4e6ae0"}, {"key": "pluginID", "hash": "ef6a34ef0a948a42a3e116a2fa31dc8d"}, {"key": "published", "hash": "5502696ce328a67cecd25ff284d0cd44"}, {"key": "references", "hash": "5a83a90b3b3014247b69f5a5cda20835"}, {"key": "reporter", "hash": "02d9efb661cdd5884507d305b738b68a"}, {"key": "sourceData", "hash": "945e159d480f5f4372046b93d3e62d6e"}, {"key": "title", "hash": "abbd74d0177ff24389de4ab76c7b713f"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "b44dd28989c06124a8da0ee87014d92408459a0ca25ccb83f6b3ffa5deccb8a9", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-0260", "CVE-2009-0312"]}, {"type": "freebsd", "idList": ["6A523DBA-EEAB-11DD-AB4F-0030843D3802", "FC4D0AE8-3FA3-11DE-A3FD-0030843D3802"]}, {"type": "nessus", "idList": ["FEDORA_2009-3845.NASL", "FREEBSD_PKG_6A523DBAEEAB11DDAB4F0030843D3802.NASL", "FEDORA_2009-3868.NASL", "DEBIAN_DSA-1715.NASL", "UBUNTU_USN-716-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:63301", "OPENVAS:136141256231063301", "OPENVAS:136141256231063311", "OPENVAS:136141256231064410", "OPENVAS:136141256231063881", "OPENVAS:63880", "OPENVAS:64008", "OPENVAS:136141256231064008", "OPENVAS:64241", "OPENVAS:63311"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:21261", "SECURITYVULNS:VULN:9634"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1715-1:0EDF4"]}, {"type": "exploitdb", "idList": ["EDB-ID:32746"]}, {"type": "ubuntu", "idList": ["USN-716-1"]}], "modified": "2020-08-01T02:25:03", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-08-01T02:25:03", "rev": 2}, "vulnersScore": 6.3}, "objectVersion": "1.3", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38764);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/08/02 13:32:40\");\n\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_xref(name:\"Secunia\", value:\"33593\");\n\n script_name(english:\"FreeBSD : moinmoin -- multiple XSS vulnerabilities (fc4d0ae8-3fa3-11de-a3fd-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nSome vulnerabilities have been reported in MoinMoin, which can be\nexploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user's\nbrowser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised\nbefore being returned to the user. This can be exploited to execute\narbitrary HTML and script code in a user's browser session in the\ncontext of an affected site.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://moinmo.in/SecurityFixes\"\n );\n # https://vuxml.freebsd.org/freebsd/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?16fc5935\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:moinmoin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/01/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"moinmoin<1.8.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "FreeBSD Local Security Checks", "pluginID": "38764", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:moinmoin"], "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:09:57", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in the antispam feature (security/antispam.py) in MoinMoin 1.7 and 1.8.1 allows remote attackers to inject arbitrary web script or HTML via crafted, disallowed content.", "modified": "2018-10-03T21:58:00", "id": "CVE-2009-0312", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0312", "published": "2009-01-28T01:30:00", "title": "CVE-2009-0312", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:09:57", "bulletinFamily": "NVD", "description": "Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers to inject arbitrary web script or HTML via an AttachFile action to the WikiSandBox component with (1) the rename parameter or (2) the drawing parameter (aka the basename variable).", "modified": "2018-10-11T21:01:00", "id": "CVE-2009-0260", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0260", "published": "2009-01-23T19:00:00", "title": "CVE-2009-0260", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:18", "bulletinFamily": "unix", "description": "\nSecunia reports:\n\nInput passed to multiple parameters in action/AttachFile.py is not\n\t properly sanitised before being returned to the user. This can be\n\t exploited to execute arbitrary HTML and script code in a user's\n\t browser session in the context of an affected site.\nCertain input passed to security/antispam.py is not properly\n\t sanitised before being returned to the user. This can be exploited to\n\t execute arbitrary HTML and script code in a user's browser session in\n\t the context of an affected site.\n\n", "modified": "2009-01-21T00:00:00", "published": "2009-01-21T00:00:00", "id": "6A523DBA-EEAB-11DD-AB4F-0030843D3802", "href": "https://vuxml.freebsd.org/freebsd/6a523dba-eeab-11dd-ab4f-0030843d3802.html", "title": "moinmoin -- multiple cross site scripting vulnerabilities", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:15", "bulletinFamily": "unix", "description": "\nSecunia reports:\n\nSome vulnerabilities have been reported in MoinMoin, which can be\n\t exploited by malicious people to conduct cross-site scripting attacks.\nInput passed to multiple parameters in action/AttachFile.py is not\n\t properly sanitised before being returned to the user. This can be\n\t exploited to execute arbitrary HTML and script code in a user's\n\t browser session in the context of an affected site.\nCertain input passed to security/antispam.py is not properly\n\t sanitised before being returned to the user. This can be exploited to\n\t execute arbitrary HTML and script code in a user's browser session in\n\t the context of an affected site.\n\n", "modified": "2009-01-21T00:00:00", "published": "2009-01-21T00:00:00", "id": "FC4D0AE8-3FA3-11DE-A3FD-0030843D3802", "href": "https://vuxml.freebsd.org/freebsd/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html", "title": "moinmoin -- multiple cross site scripting vulnerabilities", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2020-08-01T02:19:09", "bulletinFamily": "scanner", "description": "Secunia reports :\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user", "modified": "2020-08-02T00:00:00", "id": "FREEBSD_PKG_6A523DBAEEAB11DDAB4F0030843D3802.NASL", "href": "https://www.tenable.com/plugins/nessus/35563", "published": "2009-02-01T00:00:00", "title": "FreeBSD : moinmoin -- multiple XSS vulnerabilities (6a523dba-eeab-11dd-ab4f-0030843d3802)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(35563);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/08/02 13:32:40\");\n\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_xref(name:\"Secunia\", value:\"33593\");\n\n script_name(english:\"FreeBSD : moinmoin -- multiple XSS vulnerabilities (6a523dba-eeab-11dd-ab4f-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Secunia reports :\n\nInput passed to multiple parameters in action/AttachFile.py is not\nproperly sanitised before being returned to the user. This can be\nexploited to execute arbitrary HTML and script code in a user's\nbrowser session in the context of an affected site.\n\nCertain input passed to security/antispam.py is not properly sanitised\nbefore being returned to the user. This can be exploited to execute\narbitrary HTML and script code in a user's browser session in the\ncontext of an affected site.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://hg.moinmo.in/moin/1.8/file/c76d50dac855\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://hg.moinmo.in/moin/1.8/rev/89b91bf87dad\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://moinmo.in/SecurityFixes#moin1.8.1\"\n );\n # https://vuxml.freebsd.org/freebsd/6a523dba-eeab-11dd-ab4f-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b8722d6d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:moinmoin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/01/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/02/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"moinmoin<1.8.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-08-01T01:17:30", "bulletinFamily": "scanner", "description": "It was discovered that the AttachFile action in moin, a python clone\nof WikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260\n). Another cross-site scripting vulnerability was discovered in the\nantispam feature (CVE-2009-0312 ).", "modified": "2020-08-02T00:00:00", "id": "DEBIAN_DSA-1715.NASL", "href": "https://www.tenable.com/plugins/nessus/35550", "published": "2009-01-29T00:00:00", "title": "Debian DSA-1715-1 : moin - insufficient input sanitising", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1715. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(35550);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/08/02 13:32:21\");\n\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_xref(name:\"DSA\", value:\"1715\");\n\n script_name(english:\"Debian DSA-1715-1 : moin - insufficient input sanitising\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the AttachFile action in moin, a python clone\nof WikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260\n). Another cross-site scripting vulnerability was discovered in the\nantispam feature (CVE-2009-0312 ).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513158\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-0260\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-0312\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1715\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the moin packages.\n\nFor the stable distribution (etch) these problems have been fixed in\nversion 1.5.3-1.2etch2.\n\nFor the testing (lenny) distribution these problems have been fixed in\nversion 1.7.1-3+lenny1.\n\nFor the unstable (sid) distribution these problems have been fixed in\nversion 1.8.1-1.1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:moin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/01/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"moinmoin-common\", reference:\"1.5.3-1.2etch2\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"python-moinmoin\", reference:\"1.5.3-1.2etch2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-08-01T01:35:33", "bulletinFamily": "scanner", "description": "Update moin to 1.6.4. Fix the following CVEs: CVE-2008-0781 (again),\nCVE-2008-3381, CVE-2009-0260, CVE-2009-0312. Fix AttachFile escaping\nproblems, upstream 1.7 changeset 5f51246a4df1 backported.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-08-02T00:00:00", "id": "FEDORA_2009-3845.NASL", "href": "https://www.tenable.com/plugins/nessus/36211", "published": "2009-04-22T00:00:00", "title": "Fedora 9 : moin-1.6.4-1.fc9 (2009-3845)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-3845.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(36211);\n script_version (\"1.15\");\n script_cvs_date(\"Date: 2019/08/02 13:32:29\");\n\n script_cve_id(\"CVE-2008-0781\", \"CVE-2008-3381\", \"CVE-2009-0260\", \"CVE-2009-0312\");\n script_bugtraq_id(30297, 33365, 33479);\n script_xref(name:\"FEDORA\", value:\"2009-3845\");\n\n script_name(english:\"Fedora 9 : moin-1.6.4-1.fc9 (2009-3845)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update moin to 1.6.4. Fix the following CVEs: CVE-2008-0781 (again),\nCVE-2008-3381, CVE-2009-0260, CVE-2009-0312. Fix AttachFile escaping\nproblems, upstream 1.7 changeset 5f51246a4df1 backported.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=432748\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=457362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=481547\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=482791\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-April/022561.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?42bd1714\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected moin package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:moin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 9.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC9\", reference:\"moin-1.6.4-1.fc9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"moin\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-08-01T01:35:33", "bulletinFamily": "scanner", "description": "Update moin to 1.6.4. Fix the following CVEs: CVE-2008-0781 (again),\nCVE-2008-3381, CVE-2009-0260, CVE-2009-0312. Fix AttachFile escaping\nproblems, upstream 1.7 changeset 5f51246a4df1 backported.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-08-02T00:00:00", "id": "FEDORA_2009-3868.NASL", "href": "https://www.tenable.com/plugins/nessus/37870", "published": "2009-04-23T00:00:00", "title": "Fedora 10 : moin-1.6.4-1.fc10 (2009-3868)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-3868.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(37870);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2019/08/02 13:32:29\");\n\n script_cve_id(\"CVE-2008-0781\", \"CVE-2008-3381\", \"CVE-2009-0260\", \"CVE-2009-0312\");\n script_bugtraq_id(30297, 33365, 33479);\n script_xref(name:\"FEDORA\", value:\"2009-3868\");\n\n script_name(english:\"Fedora 10 : moin-1.6.4-1.fc10 (2009-3868)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update moin to 1.6.4. Fix the following CVEs: CVE-2008-0781 (again),\nCVE-2008-3381, CVE-2009-0260, CVE-2009-0312. Fix AttachFile escaping\nproblems, upstream 1.7 changeset 5f51246a4df1 backported.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=432748\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=457362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=481547\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=482791\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-April/022622.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?83d0fb26\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected moin package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(79);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:moin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"moin-1.6.4-1.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"moin\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-08-01T05:40:28", "bulletinFamily": "scanner", "description": "Fernando Quintero discovered than MoinMoin did not properly sanitize\nits input when processing login requests, resulting in cross-site\nscripting (XSS) vulnerabilities. With cross-site scripting\nvulnerabilities, if a user were tricked into viewing server output\nduring a crafted server request, a remote attacker could exploit this\nto modify the contents, or steal confidential data, within the same\ndomain. This issue affected Ubuntu 7.10 and 8.04 LTS. (CVE-2008-0780)\n\nFernando Quintero discovered that MoinMoin did not properly sanitize\nits input when attaching files, resulting in cross-site scripting\nvulnerabilities. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04\nLTS. (CVE-2008-0781)\n\nIt was discovered that MoinMoin did not properly sanitize its input\nwhen processing user forms. A remote attacker could submit crafted\ncookie values and overwrite arbitrary files via directory traversal.\nThis issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS.\n(CVE-2008-0782)\n\nIt was discovered that MoinMoin did not properly sanitize its input\nwhen editing pages, resulting in cross-site scripting vulnerabilities.\nThis issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098)\n\nIt was discovered that MoinMoin did not properly enforce access\ncontrols, which could allow a remoter attacker to view private pages.\nThis issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099)\n\nIt was discovered that MoinMoin did not properly sanitize its input\nwhen attaching files and using the rename parameter, resulting in\ncross-site scripting vulnerabilities. (CVE-2009-0260)\n\nIt was discovered that MoinMoin did not properly sanitize its input\nwhen displaying error messages after processing spam, resulting in\ncross-site scripting vulnerabilities. (CVE-2009-0312).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-08-02T00:00:00", "id": "UBUNTU_USN-716-1.NASL", "href": "https://www.tenable.com/plugins/nessus/38011", "published": "2009-04-23T00:00:00", "title": "Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : moin vulnerabilities (USN-716-1)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-716-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38011);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/08/02 13:33:02\");\n\n script_cve_id(\"CVE-2008-0780\", \"CVE-2008-0781\", \"CVE-2008-0782\", \"CVE-2008-1098\", \"CVE-2008-1099\", \"CVE-2009-0260\", \"CVE-2009-0312\");\n script_bugtraq_id(28177, 33365, 33479);\n script_xref(name:\"USN\", value:\"716-1\");\n\n script_name(english:\"Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : moin vulnerabilities (USN-716-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fernando Quintero discovered than MoinMoin did not properly sanitize\nits input when processing login requests, resulting in cross-site\nscripting (XSS) vulnerabilities. With cross-site scripting\nvulnerabilities, if a user were tricked into viewing server output\nduring a crafted server request, a remote attacker could exploit this\nto modify the contents, or steal confidential data, within the same\ndomain. This issue affected Ubuntu 7.10 and 8.04 LTS. (CVE-2008-0780)\n\nFernando Quintero discovered that MoinMoin did not properly sanitize\nits input when attaching files, resulting in cross-site scripting\nvulnerabilities. This issue affected Ubuntu 6.06 LTS, 7.10 and 8.04\nLTS. (CVE-2008-0781)\n\nIt was discovered that MoinMoin did not properly sanitize its input\nwhen processing user forms. A remote attacker could submit crafted\ncookie values and overwrite arbitrary files via directory traversal.\nThis issue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS.\n(CVE-2008-0782)\n\nIt was discovered that MoinMoin did not properly sanitize its input\nwhen editing pages, resulting in cross-site scripting vulnerabilities.\nThis issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098)\n\nIt was discovered that MoinMoin did not properly enforce access\ncontrols, which could allow a remoter attacker to view private pages.\nThis issue only affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099)\n\nIt was discovered that MoinMoin did not properly sanitize its input\nwhen attaching files and using the rename parameter, resulting in\ncross-site scripting vulnerabilities. (CVE-2009-0260)\n\nIt was discovered that MoinMoin did not properly sanitize its input\nwhen displaying error messages after processing spam, resulting in\ncross-site scripting vulnerabilities. (CVE-2009-0312).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/716-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected moinmoin-common, python-moinmoin and / or\npython2.4-moinmoin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(22, 79, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:moinmoin-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python-moinmoin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:python2.4-moinmoin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.06:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(6\\.06|7\\.10|8\\.04|8\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 6.06 / 7.10 / 8.04 / 8.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"6.06\", pkgname:\"moinmoin-common\", pkgver:\"1.5.2-1ubuntu2.4\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"python-moinmoin\", pkgver:\"1.5.2-1ubuntu2.4\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"python2.4-moinmoin\", pkgver:\"1.5.2-1ubuntu2.4\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"moinmoin-common\", pkgver:\"1.5.7-3ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"python-moinmoin\", pkgver:\"1.5.7-3ubuntu2.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"moinmoin-common\", pkgver:\"1.5.8-5.1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"python-moinmoin\", pkgver:\"1.5.8-5.1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"python-moinmoin\", pkgver:\"1.7.1-1ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"moinmoin-common / python-moinmoin / python2.4-moinmoin\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2018-04-06T11:38:30", "bulletinFamily": "scanner", "description": "The remote host is missing an update to moin\nannounced via advisory DSA 1715-1.", "modified": "2018-04-06T00:00:00", "published": "2009-02-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063301", "id": "OPENVAS:136141256231063301", "title": "Debian Security Advisory DSA 1715-1 (moin)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1715_1.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory DSA 1715-1 (moin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that the AttachFile action in moin, a python clone of\nWikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260).\nAnother cross-site scripting vulnerability was discovered in the\nantispam feature (CVE-2009-0312).\n\nFor the stable distribution (etch) these problems have been fixed in\nversion 1.5.3-1.2etch2.\n\nFor the testing (lenny) distribution these problems have been fixed in\nversion 1.7.1-3+lenny1.\n\nFor the unstable (sid) distribution these problems have been fixed in\nversion 1.8.1-1.1.\n\nWe recommend that you upgrade your moin packages.\";\ntag_summary = \"The remote host is missing an update to moin\nannounced via advisory DSA 1715-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201715-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63301\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-02 23:28:24 +0100 (Mon, 02 Feb 2009)\");\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 1715-1 (moin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"python-moinmoin\", ver:\"1.5.3-1.2etch2\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"moinmoin-common\", ver:\"1.5.3-1.2etch2\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-02T21:14:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-12-23T00:00:00", "published": "2009-02-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=63311", "id": "OPENVAS:63311", "title": "FreeBSD Ports: moinmoin", "type": "openvas", "sourceData": "#\n#VID 6a523dba-eeab-11dd-ab4f-0030843d3802\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 6a523dba-eeab-11dd-ab4f-0030843d3802\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: moinmoin\n\nCVE-2009-0260\nMultiple cross-site scripting (XSS) vulnerabilities in\naction/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers\nto inject arbitrary web script or HTML via an AttachFile action to the\nWikiSandBox component with (1) the rename parameter or (2) the drawing\nparameter (aka the basename variable).\n\nCVE-2009-0312\nCross-site scripting (XSS) vulnerability in the antispam feature\n(security/antispam.py) in MoinMoin 1.7 and 1.8.1 allows remote\nattackers to inject arbitrary web script or HTML via crafted,\ndisallowed content.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://secunia.com/advisories/33593/\nhttp://hg.moinmo.in/moin/1.8/file/c76d50dac855\nhttp://hg.moinmo.in/moin/1.8/rev/89b91bf87dad\nhttp://moinmo.in/SecurityFixes#moin1.8.1\nhttp://www.vuxml.org/freebsd/6a523dba-eeab-11dd-ab4f-0030843d3802.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(63311);\n script_version(\"$Revision: 4847 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-23 10:33:16 +0100 (Fri, 23 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-02 23:28:24 +0100 (Mon, 02 Feb 2009)\");\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"FreeBSD Ports: moinmoin\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"moinmoin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.8.1\")<0) {\n txt += 'Package moinmoin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-24T12:56:30", "bulletinFamily": "scanner", "description": "The remote host is missing an update to moin\nannounced via advisory DSA 1715-1.", "modified": "2017-07-07T00:00:00", "published": "2009-02-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=63301", "id": "OPENVAS:63301", "title": "Debian Security Advisory DSA 1715-1 (moin)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1715_1.nasl 6615 2017-07-07 12:09:52Z cfischer $\n# Description: Auto-generated from advisory DSA 1715-1 (moin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that the AttachFile action in moin, a python clone of\nWikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260).\nAnother cross-site scripting vulnerability was discovered in the\nantispam feature (CVE-2009-0312).\n\nFor the stable distribution (etch) these problems have been fixed in\nversion 1.5.3-1.2etch2.\n\nFor the testing (lenny) distribution these problems have been fixed in\nversion 1.7.1-3+lenny1.\n\nFor the unstable (sid) distribution these problems have been fixed in\nversion 1.8.1-1.1.\n\nWe recommend that you upgrade your moin packages.\";\ntag_summary = \"The remote host is missing an update to moin\nannounced via advisory DSA 1715-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201715-1\";\n\n\nif(description)\n{\n script_id(63301);\n script_version(\"$Revision: 6615 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-02 23:28:24 +0100 (Mon, 02 Feb 2009)\");\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 1715-1 (moin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"python-moinmoin\", ver:\"1.5.3-1.2etch2\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"moinmoin-common\", ver:\"1.5.3-1.2etch2\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-04-06T11:37:30", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2018-04-06T00:00:00", "published": "2009-05-20T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064008", "id": "OPENVAS:136141256231064008", "title": "FreeBSD Ports: moinmoin", "type": "openvas", "sourceData": "#\n#VID fc4d0ae8-3fa3-11de-a3fd-0030843d3802\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID fc4d0ae8-3fa3-11de-a3fd-0030843d3802\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: moinmoin\n\nCVE-2009-0260\nMultiple cross-site scripting (XSS) vulnerabilities in\naction/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers\nto inject arbitrary web script or HTML via an AttachFile action to the\nWikiSandBox component with (1) the rename parameter or (2) the drawing\nparameter (aka the basename variable).\n\nCVE-2009-0312\nCross-site scripting (XSS) vulnerability in the antispam feature\n(security/antispam.py) in MoinMoin 1.7 and 1.8.1 allows remote\nattackers to inject arbitrary web script or HTML via crafted,\ndisallowed content.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://moinmo.in/SecurityFixes\nhttp://secunia.com/advisories/33593\nhttp://www.vuxml.org/freebsd/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64008\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-20 00:17:15 +0200 (Wed, 20 May 2009)\");\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"FreeBSD Ports: moinmoin\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"moinmoin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.8.2\")<0) {\n txt += 'Package moinmoin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-04-06T11:40:46", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2018-04-06T00:00:00", "published": "2009-02-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063311", "id": "OPENVAS:136141256231063311", "title": "FreeBSD Ports: moinmoin", "type": "openvas", "sourceData": "#\n#VID 6a523dba-eeab-11dd-ab4f-0030843d3802\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 6a523dba-eeab-11dd-ab4f-0030843d3802\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: moinmoin\n\nCVE-2009-0260\nMultiple cross-site scripting (XSS) vulnerabilities in\naction/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers\nto inject arbitrary web script or HTML via an AttachFile action to the\nWikiSandBox component with (1) the rename parameter or (2) the drawing\nparameter (aka the basename variable).\n\nCVE-2009-0312\nCross-site scripting (XSS) vulnerability in the antispam feature\n(security/antispam.py) in MoinMoin 1.7 and 1.8.1 allows remote\nattackers to inject arbitrary web script or HTML via crafted,\ndisallowed content.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://secunia.com/advisories/33593/\nhttp://hg.moinmo.in/moin/1.8/file/c76d50dac855\nhttp://hg.moinmo.in/moin/1.8/rev/89b91bf87dad\nhttp://moinmo.in/SecurityFixes#moin1.8.1\nhttp://www.vuxml.org/freebsd/6a523dba-eeab-11dd-ab4f-0030843d3802.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63311\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-02 23:28:24 +0100 (Mon, 02 Feb 2009)\");\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"FreeBSD Ports: moinmoin\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"moinmoin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.8.1\")<0) {\n txt += 'Package moinmoin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-02T21:13:49", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-12-23T00:00:00", "published": "2009-05-20T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64008", "id": "OPENVAS:64008", "title": "FreeBSD Ports: moinmoin", "type": "openvas", "sourceData": "#\n#VID fc4d0ae8-3fa3-11de-a3fd-0030843d3802\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID fc4d0ae8-3fa3-11de-a3fd-0030843d3802\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: moinmoin\n\nCVE-2009-0260\nMultiple cross-site scripting (XSS) vulnerabilities in\naction/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers\nto inject arbitrary web script or HTML via an AttachFile action to the\nWikiSandBox component with (1) the rename parameter or (2) the drawing\nparameter (aka the basename variable).\n\nCVE-2009-0312\nCross-site scripting (XSS) vulnerability in the antispam feature\n(security/antispam.py) in MoinMoin 1.7 and 1.8.1 allows remote\nattackers to inject arbitrary web script or HTML via crafted,\ndisallowed content.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://moinmo.in/SecurityFixes\nhttp://secunia.com/advisories/33593\nhttp://www.vuxml.org/freebsd/fc4d0ae8-3fa3-11de-a3fd-0030843d3802.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(64008);\n script_version(\"$Revision: 4847 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-12-23 10:33:16 +0100 (Fri, 23 Dec 2016) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-20 00:17:15 +0200 (Wed, 20 May 2009)\");\n script_cve_id(\"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"FreeBSD Ports: moinmoin\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"moinmoin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.8.2\")<0) {\n txt += 'Package moinmoin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-04-06T11:40:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update to moin\nannounced via advisory FEDORA-2009-7761.", "modified": "2018-04-06T00:00:00", "published": "2009-07-29T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064410", "id": "OPENVAS:136141256231064410", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-7761 (moin)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_7761.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-7761 (moin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nThis update removes the filemanager and _samples directories from the embedded\nFCKeditor, they contain code with known security vulnerabilities, even though\nthat code couldn't be invoked when Moin was used with the default settings. Moin\nwas probably not affected, but installing this update is still recommended as a\nsecurity measure. CVE-2009-2265 is the related CVE identifier.\n\nChangeLog:\n\n* Sun Jul 12 2009 Ville-Pekka Vainio 1.6.4-3\n- Remove the filemanager and _samples directories from the embedded FCKeditor,\nthey contain code with know security vulnerabilities, even though that code\nprobably couldn't be invoked when moin was used with the default settings.\n- Fixes rhbz #509924, related to CVE-2009-2265\n* Sat Jun 13 2009 Ville-Pekka Vainio 1.6.4-2\n- Hierarchical ACL security fix from 1.8.4, 1.8 HG 897cdbe9e8f2\n- Details at http://moinmo.in/SecurityFixes#moin_1.8.3\n- Convert CHANGES to UTF-8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update moin' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-7761\";\ntag_summary = \"The remote host is missing an update to moin\nannounced via advisory FEDORA-2009-7761.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64410\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-2265\", \"CVE-2008-3381\", \"CVE-2008-0781\", \"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Core 10 FEDORA-2009-7761 (moin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=509924\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"moin\", rpm:\"moin~1.6.4~3.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:38:30", "bulletinFamily": "scanner", "description": "The remote host is missing an update to moin\nannounced via advisory FEDORA-2009-3868.", "modified": "2018-04-06T00:00:00", "published": "2009-04-28T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063881", "id": "OPENVAS:136141256231063881", "title": "Fedora Core 10 FEDORA-2009-3868 (moin)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_3868.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-3868 (moin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nUpdate moin to 1.6.4. Fix the following CVEs: CVE-2008-0781 (again),\nCVE-2008-3381, CVE-2009-0260, CVE-2009-0312. Fix AttachFile escaping problems,\nupstream 1.7 changeset 5f51246a4df1 backported.\nChangeLog:\n\n* Mon Apr 20 2009 Ville-Pekka Vainio 1.6.4-1\n- Update to 1.6.4\n- CVE-2008-3381 fixed upstream\n- Re-fix CVE-2008-0781, upstream seems to have dropped the fix in 1.6,\nused part of upstream 1.5 db212dfc58ef, backported upstream 1.7 5f51246a4df1\nand 269a1fbc3ed7\n- Fix CVE-2009-0260, patch from Debian etch\n- Fix CVE-2009-0312\n- Fix AttachFile escaping problems, backported upstream 1.7 5c4043e651b3\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update moin' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-3868\";\ntag_summary = \"The remote host is missing an update to moin\nannounced via advisory FEDORA-2009-3868.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63881\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-04-28 20:40:12 +0200 (Tue, 28 Apr 2009)\");\n script_cve_id(\"CVE-2008-0781\", \"CVE-2008-3381\", \"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-3868 (moin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=457362\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=481547\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=432748\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=482791\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"moin\", rpm:\"moin~1.6.4~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:57:07", "bulletinFamily": "scanner", "description": "The remote host is missing an update to moin\nannounced via advisory FEDORA-2009-7761.", "modified": "2017-07-10T00:00:00", "published": "2009-07-29T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64410", "id": "OPENVAS:64410", "title": "Fedora Core 10 FEDORA-2009-7761 (moin)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_7761.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-7761 (moin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nThis update removes the filemanager and _samples directories from the embedded\nFCKeditor, they contain code with known security vulnerabilities, even though\nthat code couldn't be invoked when Moin was used with the default settings. Moin\nwas probably not affected, but installing this update is still recommended as a\nsecurity measure. CVE-2009-2265 is the related CVE identifier.\n\nChangeLog:\n\n* Sun Jul 12 2009 Ville-Pekka Vainio 1.6.4-3\n- Remove the filemanager and _samples directories from the embedded FCKeditor,\nthey contain code with know security vulnerabilities, even though that code\nprobably couldn't be invoked when moin was used with the default settings.\n- Fixes rhbz #509924, related to CVE-2009-2265\n* Sat Jun 13 2009 Ville-Pekka Vainio 1.6.4-2\n- Hierarchical ACL security fix from 1.8.4, 1.8 HG 897cdbe9e8f2\n- Details at http://moinmo.in/SecurityFixes#moin_1.8.3\n- Convert CHANGES to UTF-8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update moin' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-7761\";\ntag_summary = \"The remote host is missing an update to moin\nannounced via advisory FEDORA-2009-7761.\";\n\n\n\nif(description)\n{\n script_id(64410);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-2265\", \"CVE-2008-3381\", \"CVE-2008-0781\", \"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Core 10 FEDORA-2009-7761 (moin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=509924\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"moin\", rpm:\"moin~1.6.4~3.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:56:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update to moin\nannounced via advisory FEDORA-2009-6557.", "modified": "2017-07-10T00:00:00", "published": "2009-06-23T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64241", "id": "OPENVAS:64241", "title": "Fedora Core 10 FEDORA-2009-6557 (moin)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_6557.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-6557 (moin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nThis update includes a security fix for a hierarchical ACL vulnerability\n(hierarchical is not the default ACL mode), http://moinmo.in/SecurityFixes has\nthe details of the fix.\n\nChangeLog:\n\n* Sat Jun 13 2009 Ville-Pekka Vainio 1.6.4-2\n- Hierarchical ACL security fix from 1.8.4, 1.8 HG 897cdbe9e8f2\n- Details at http://moinmo.in/SecurityFixes#moin_1.8.3\n- Convert CHANGES to UTF-8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update moin' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-6557\";\ntag_summary = \"The remote host is missing an update to moin\nannounced via advisory FEDORA-2009-6557.\";\n\n\n\nif(description)\n{\n script_id(64241);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-23 15:49:15 +0200 (Tue, 23 Jun 2009)\");\n script_cve_id(\"CVE-2008-3381\", \"CVE-2008-0781\", \"CVE-2009-0260\", \"CVE-2009-0312\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-6557 (moin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"moin\", rpm:\"moin~1.6.4~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:31", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.\r\nE107: \u043e\u0431\u0445\u043e\u0434 CAPTCHA, \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0439 \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433.", "modified": "2009-01-31T00:00:00", "published": "2009-01-31T00:00:00", "id": "SECURITYVULNS:VULN:9634", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9634", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:29", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1715 security@debian.org\r\nhttp://www.debian.org/security/ Steffen Joeris\r\nJanuary 29, 2009 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : moin\r\nVulnerability : insufficient input sanitising\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2009-0260 CVE-2009-0312\r\nDebian Bug : 513158\r\n\r\n\r\nIt was discovered that the AttachFile action in moin, a python clone of\r\nWikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260).\r\nAnother cross-site scripting vulnerability was discovered in the\r\nantispam feature (CVE-2009-0312).\r\n\r\n\r\nFor the stable distribution (etch) these problems have been fixed in\r\nversion 1.5.3-1.2etch2.\r\n\r\nFor the testing (lenny) distribution these problems have been fixed in\r\nversion 1.7.1-3+lenny1.\r\n\r\nFor the unstable (sid) distribution these problems have been fixed in\r\nversion 1.8.1-1.1.\r\n\r\nWe recommend that you upgrade your moin packages.\r\n\r\nUpgrade instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 4.0 alias etch\r\n- -------------------------------\r\n\r\nDebian (stable)\r\n- ---------------\r\n\r\nStable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/m/moin/moin_1.5.3-1.2etch2.diff.gz\r\n Size/MD5 checksum: 40914 139bcec334ed7fbf1ca2bef3c89a8377\r\n http://security.debian.org/pool/updates/main/m/moin/moin_1.5.3.orig.tar.gz\r\n Size/MD5 checksum: 4187091 e95ec46ee8de9527a39793108de22f7d\r\n http://security.debian.org/pool/updates/main/m/moin/moin_1.5.3-1.2etch2.dsc\r\n Size/MD5 checksum: 671 7b24d6f694511840a0a9da0c9f33f5ad\r\n\r\nArchitecture independent packages:\r\n\r\n http://security.debian.org/pool/updates/main/m/moin/python-moinmoin_1.5.3-1.2etch2_all.deb\r\n Size/MD5 checksum: 914904 ab6158ae7010c3701859ceb26bd61bd2\r\n http://security.debian.org/pool/updates/main/m/moin/moinmoin-common_1.5.3-1.2etch2_all.deb\r\n Size/MD5 checksum: 1595112 a46561072eb0ee26ee1a71275c0e64b3\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niD8DBQFJgT3oU5XKDemr/NIRApQ9AJ4tYeY7WMIAUYHjmeryHoEo6HkecgCgmIU9\r\nb7VcvgOvyalRLrZrejSKFQI=\r\n=miAO\r\n-----END PGP SIGNATURE-----", "modified": "2009-01-31T00:00:00", "published": "2009-01-31T00:00:00", "id": "SECURITYVULNS:DOC:21261", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:21261", "title": "[SECURITY] [DSA 1715-1] New moin packages fix insufficient input sanitising", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "debian": [{"lastseen": "2020-08-12T01:05:32", "bulletinFamily": "unix", "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1715 security@debian.org\nhttp://www.debian.org/security/ Steffen Joeris\nJanuary 29, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : moin\nVulnerability : insufficient input sanitising\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2009-0260 CVE-2009-0312\nDebian Bug : 513158\n\n\nIt was discovered that the AttachFile action in moin, a python clone of\nWikiWiki, is prone to cross-site scripting attacks (CVE-2009-0260).\nAnother cross-site scripting vulnerability was discovered in the\nantispam feature (CVE-2009-0312).\n\n\nFor the stable distribution (etch) these problems have been fixed in\nversion 1.5.3-1.2etch2.\n\nFor the testing (lenny) distribution these problems have been fixed in\nversion 1.7.1-3+lenny1.\n\nFor the unstable (sid) distribution these problems have been fixed in\nversion 1.8.1-1.1.\n\nWe recommend that you upgrade your moin packages.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/m/moin/moin_1.5.3-1.2etch2.diff.gz\n Size/MD5 checksum: 40914 139bcec334ed7fbf1ca2bef3c89a8377\n http://security.debian.org/pool/updates/main/m/moin/moin_1.5.3.orig.tar.gz\n Size/MD5 checksum: 4187091 e95ec46ee8de9527a39793108de22f7d\n http://security.debian.org/pool/updates/main/m/moin/moin_1.5.3-1.2etch2.dsc\n Size/MD5 checksum: 671 7b24d6f694511840a0a9da0c9f33f5ad\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/m/moin/python-moinmoin_1.5.3-1.2etch2_all.deb\n Size/MD5 checksum: 914904 ab6158ae7010c3701859ceb26bd61bd2\n http://security.debian.org/pool/updates/main/m/moin/moinmoin-common_1.5.3-1.2etch2_all.deb\n Size/MD5 checksum: 1595112 a46561072eb0ee26ee1a71275c0e64b3\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "modified": "2009-01-29T07:14:25", "published": "2009-01-29T07:14:25", "id": "DEBIAN:DSA-1715-1:0EDF4", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00023.html", "title": "[SECURITY] [DSA 1715-1] New moin packages fix insufficient input sanitising", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "exploitdb": [{"lastseen": "2016-02-03T17:43:04", "bulletinFamily": "exploit", "description": "MoinMoin 1.8 'AttachFile.py' Cross-Site Scripting Vulnerability. CVE-2009-0260. Webapps exploit for cgi platform", "modified": "2009-01-20T00:00:00", "published": "2009-01-20T00:00:00", "id": "EDB-ID:32746", "href": "https://www.exploit-db.com/exploits/32746/", "type": "exploitdb", "title": "MoinMoin <= 1.8 - 'AttachFile.py' Cross-Site Scripting Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/33365/info\r\n\r\nMoinMoin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.\r\n\r\nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.\r\n\r\nVersions prior to MoinMoin 1.8.1 are vulnerable.\r\n\r\nhttp://www.example.com/moinmoin/WikiSandBox?rename=\"><script>alert('rename xss')</script>&action=AttachFile&drawing=\"><script>alert('drawing xss')</script> ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/32746/"}], "ubuntu": [{"lastseen": "2020-07-09T00:28:59", "bulletinFamily": "unix", "description": "Fernando Quintero discovered than MoinMoin did not properly sanitize its \ninput when processing login requests, resulting in cross-site scripting (XSS) \nvulnerabilities. With cross-site scripting vulnerabilities, if a user were \ntricked into viewing server output during a crafted server request, a remote \nattacker could exploit this to modify the contents, or steal confidential data, \nwithin the same domain. This issue affected Ubuntu 7.10 and 8.04 LTS. \n(CVE-2008-0780)\n\nFernando Quintero discovered that MoinMoin did not properly sanitize its input \nwhen attaching files, resulting in cross-site scripting vulnerabilities. This \nissue affected Ubuntu 6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0781)\n\nIt was discovered that MoinMoin did not properly sanitize its input when \nprocessing user forms. A remote attacker could submit crafted cookie values and \noverwrite arbitrary files via directory traversal. This issue affected Ubuntu \n6.06 LTS, 7.10 and 8.04 LTS. (CVE-2008-0782)\n\nIt was discovered that MoinMoin did not properly sanitize its input when \nediting pages, resulting in cross-site scripting vulnerabilities. This issue \nonly affected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1098)\n\nIt was discovered that MoinMoin did not properly enforce access controls, \nwhich could allow a remoter attacker to view private pages. This issue only \naffected Ubuntu 6.06 LTS and 7.10. (CVE-2008-1099)\n\nIt was discovered that MoinMoin did not properly sanitize its input when \nattaching files and using the rename parameter, resulting in cross-site \nscripting vulnerabilities. (CVE-2009-0260)\n\nIt was discovered that MoinMoin did not properly sanitize its input when \ndisplaying error messages after processing spam, resulting in cross-site \nscripting vulnerabilities. (CVE-2009-0312)", "modified": "2009-01-30T00:00:00", "published": "2009-01-30T00:00:00", "id": "USN-716-1", "href": "https://ubuntu.com/security/notices/USN-716-1", "title": "MoinMoin vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
