3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
54.9%
Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam
action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users
to inject arbitrary web script or HTML by creating a page with a crafted
URI.
Author | Note |
---|---|
jdstrand | XSS in Despam page The page name is not escaped in the revert_pages() function in Despam.py. It appears only privileged users are allowed to use the Despam action. Since the script must occur in the page name, it is pretty obvious when viewing that the page is suspicious (but this might be why someone was using the Despam action in the first place). There is also a limit on the length of the page name. |