CVE-2008-1098
Gentoo Linux Security Advisory 200803-27
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.5.8 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) certain input processed by formatter/text_gedit.py (aka the gui editor formatter); (2) a page name, which triggers an injection in PageEditor.py when the page is successfully deleted by a victim in a DeletePage action; or (3) the destination page name for a RenamePage action, which triggers an injection in PageEditor.py when a victim's rename attempt fails because of a duplicate name. NOTE: the AttachFile XSS issue is already covered by CVE-2008-0781, and the login XSS issue is already covered by CVE-2008-0780.
Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en MoinMoin 1.5.8 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de (1) ciertas entradas procesadas por formatter/text_gedit.py (también conocido como el gui editor formatter); (2) un nombre de página, que dispara una inyección en PageEditor.py cuando la página se borra exitosamente por una víctima en una acción DeletePage; (3) el nombre de la página destino para una acción RenamePage, lo que dispara una inyección en PageEditor.py cuando un intento de cambiar el nombre de la víctima falla debido a un nombre duplicado.
Fernando Quintero discovered than MoinMoin did not properly sanitize its input when processing login requests, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. Fernando Quintero discovered that MoinMoin did not properly sanitize its input when attaching files, resulting in cross-site scripting vulnerabilities. It was discovered that MoinMoin did not properly sanitize its input when processing user forms, editing pages, relaying error messages, or when attaching files.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2008-02-28 CVE Reserved
- 2008-03-05 CVE Published
- 2024-08-07 CVE Updated
- 2024-08-07 First Exploit
- 2025-05-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| http://hg.moinmo.in/moin/1.5/rev/d0152eeb4499 | X_refsource_confirm | |
| http://moinmo.in/SecurityFixes | X_refsource_confirm | |
| http://secunia.com/advisories/29262 | Third Party Advisory | |
| http://secunia.com/advisories/29444 | Third Party Advisory | |
| http://secunia.com/advisories/30031 | Third Party Advisory | |
| http://secunia.com/advisories/33755 | Third Party Advisory | |
| http://www.securityfocus.com/bid/28173 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/41037 | Vdb Entry |
| URL | Date | SRC |
|---|---|---|
| http://hg.moinmo.in/moin/1.5/rev/4ede07e792dd | 2024-08-07 |
| URL | Date | SRC |
|---|