MoinMoin: Multiple vulnerabilities
Several vulnerabilities have been reported in MoinMoin Wiki Engine.
moinmoin
2008-03-18
2008-03-18: 01
209133
remote
1.6.1
1.6.1
MoinMoin is an advanced, easy to use and extensible Wiki Engine.
Multiple vulnerabilities have been discovered:
-
A vulnerability exists in the file wikimacro.py because the
_macro_Getval function does not properly enforce ACLs
(CVE-2008-1099).
-
A directory traversal vulnerability exists in the userform action
(CVE-2008-0782).
-
A Cross-Site Scripting vulnerability exists in the login action
(CVE-2008-0780).
-
Multiple Cross-Site Scripting vulnerabilities exist in the file
action/AttachFile.py when using the message, pagename, and target
filenames (CVE-2008-0781).
-
Multiple Cross-Site Scripting vulnerabilities exist in
formatter/text_gedit.py (aka the gui editor formatter) which can be
exploited via a page name or destination page name, which trigger an
injection in the file PageEditor.py (CVE-2008-1098).
These vulnerabilities can be exploited to allow remote attackers to
inject arbitrary web script or HTML, overwrite arbitrary files, or read
protected pages.
There is no known workaround at this time.
All MoinMoin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/moinmoin-1.6.1"
CVE-2008-0780
CVE-2008-0781
CVE-2008-0782
CVE-2008-1098
CVE-2008-1099
p-y
p-y
mfleming