CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2012-6080
https://notcve.org/view.php?id=CVE-2012-6080
Directory traversal vulnerability in the _do_attachment_move function in the AttachFile action (action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a file name. Vulnerabilidad de salto de directorio en la función _do_attachment_move en una acción AttachFile (action/AttachFile.py) en MoinMoin v1.9.3 hasta v1.9.5 permite a atacantes remotos sobreescribir archivos arbitrarios a través de .. (punto punto) en un nombre de archivo. • http://hg.moinmo.in/moin/1.9/rev/3c27131a3c52 http://moinmo.in/SecurityFixes http://secunia.com/advisories/51663 http://secunia.com/advisories/51676 http://secunia.com/advisories/51696 http://ubuntu.com/usn/usn-1680-1 http://www.debian.org/security/2012/dsa-2593 http://www.openwall.com/lists/oss-security/2012/12/30/6 http://www.securityfocus.com/bid/57076 https://bugs.launchpad.net/ubuntu/+source/moin/+bug/1094599 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.0EPSS: 95%CPEs: 79EXPL: 4CVE-2012-6081 – MoinMoin - twikidraw Action Traversal Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2012-6081
Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, as exploited in the wild in July 2012. Múltiples subidas de fichero sin restricción en las acciones 1) twikidraw (action/twikidraw.py) y (2) anywikidraw (action/anywikidraw.py) en MoinMoin antes de v1.9.6 permitie a usuarios remotos autenticados con permisos de escritura para ejecutar código arbitrario mediante la carga de un archivo con una extensión ejecutable, y acceder a el a través de una solicitud dirigida directamente al archivo en un directorio especificado, como se explotó en en julio de 2012. • https://www.exploit-db.com/exploits/26422 https://www.exploit-db.com/exploits/25304 http://hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f http://moinmo.in/MoinMoinRelease1.9 http://moinmo.in/SecurityFixes http://secunia.com/advisories/51663 http://secunia.com/advisories/51676 http://secunia.com/advisories/51696 http://ubuntu.com/usn/usn-1680-1 http://www.debian.org/security/2012/dsa-2593 http://www.exploit-db.com/exploits/25304 http://www.openwall.com/lists/oss&# •
CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0CVE-2012-4404
https://notcve.org/view.php?id=CVE-2012-4404
security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group. security/__init__.py en MoinMoin v1.9 hasta v1.9.4 no trata correctamente los nombres de los grupos que contienen nombres de grupos virtuales tales como "All", "Known", o "Trusted", lo que permite ser tratados como miembros del grupo no-virtual a usuarios remotos autenticados que pertenezcan a un grupo virtual. • http://hg.moinmo.in/moin/1.9/rev/7b9f39289e16 http://moinmo.in/SecurityFixes http://secunia.com/advisories/50474 http://secunia.com/advisories/50496 http://secunia.com/advisories/50885 http://www.debian.org/security/2012/dsa-2538 http://www.openwall.com/lists/oss-security/2012/09/04/4 http://www.openwall.com/lists/oss-security/2012/09/05/2 http://www.ubuntu.com/usn/USN-1604-1 • CWE-264: Permissions, Privileges, and Access Controls •