CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15275 – malicious SVG attachment causing stored XSS vulnerability in MoinMoin
https://notcve.org/view.php?id=CVE-2020-15275
MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes. • https://advisory.checkmarx.net/advisory/CX-2020-4285 https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2 https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11 https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2020-25074
https://notcve.org/view.php?id=CVE-2020-25074
The cache action in action/cache.py in MoinMoin through 1.9.10 allows directory traversal through a crafted HTTP request. An attacker who can upload attachments to the wiki can use this to achieve remote code execution. La acción de la caché en el archivo action/cache.py en MoinMoin versiones hasta 1.9.10, permite el salto de directorio por medio de una petición HTTP diseñada. Un atacante que pueda cargar archivos adjuntos a la wiki puede usar esto para lograr una ejecución de código remota • http://moinmo.in/SecurityFixes https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-52q8-877j-gghq https://lists.debian.org/debian-lts-announce/2020/11/msg00020.html https://www.debian.org/security/2020/dsa-4787 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2017-5934
https://notcve.org/view.php?id=CVE-2017-5934
Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad Cross-Site Scripting (XSS) en el diálogo de enlaces en el editor de la interfaz gráfica de MoinMoin en versiones anteriores a la 1.9.10 permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00024.html http://moinmo.in/SecurityFixes https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024 https://lists.debian.org/debian-lts-announce/2018/10/msg00007.html https://usn.ubuntu.com/3794-1 https://www.debian.org/security/2018/dsa-4318 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-7146 – MoinMoin 1.9.8 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-7146
MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation or crafted URL" approach, related to a "Cross Site Scripting (XSS)" issue affecting the action=fckdialog&dialog=attachment (via page name) component. MoinMoin 1.9.8 permite a atacantes remotos llevar a cabo ataques "JavaScript injection" utilizando el enfoque "page creation", relacionado con un problema "Cross Site Scripting (XSS)" que afecta al componente action=fckdialog&dialog=attachment (a través del nombre de página). MoinMoin version 1.9.8 suffers from cross site scripting vulnerabilities. • http://www.debian.org/security/2016/dsa-3715 http://www.securityfocus.com/bid/94259 http://www.ubuntu.com/usn/USN-3137-1 https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-7148 – MoinMoin 1.9.8 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2016-7148
MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation" approach, related to a "Cross Site Scripting (XSS)" issue affecting the action=AttachFile (via page name) component. MoinMoin 1.9.8 permite a atacantes remotos llevar a cabo ataques "JavaScript injection" utilizando el enfoque "page creation", relacionado con un problema "Cross Site Scripting (XSS)" que afecta al componente action=AttachFile (a través del nombre de página). MoinMoin version 1.9.8 suffers from cross site scripting vulnerabilities. • http://www.debian.org/security/2016/dsa-3715 http://www.securityfocus.com/bid/94259 http://www.ubuntu.com/usn/USN-3137-1 https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •