CVE-2010-0828

Priority
Low
Description
Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam
action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users
to inject arbitrary web script or HTML by creating a page with a crafted
URI.
References
Bugs
Notes
jdstrand> XSS in Despam page
jdstrand> The page name is not escaped in the revert_pages() function in
Despam.py. It appears only privileged users are allowed to use the
Despam action. Since the script must occur in the page name, it is
pretty obvious when viewing that the page is suspicious (but this might
be why someone was using the Despam action in the first place). There is
also a limit on the length of the page name.
Assigned-to
jdstrand
Package
Source: moin (LP Ubuntu Debian)
Upstream:pending (1.9.3)
Ubuntu 8.04 LTS (Hardy Heron):released (1.5.8-5.1ubuntu2.4)
Ubuntu 10.04 LTS (Lucid Lynx):released (1.9.2-2ubuntu2)
Patches:
Debdiff:https://launchpad.net/bugs/538022
More Information

Valid XHTML 1.0 Strict

Updated: 2012-06-01 15:20:45 UTC (commit 5347)