CVE-2010-0828

Priority
Low
Description
Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam
action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users
to inject arbitrary web script or HTML by creating a page with a crafted
URI.
References
Bugs
Notes
 jdstrand> XSS in Despam page
 jdstrand> The page name is not escaped in the revert_pages() function in
  Despam.py. It appears only privileged users are allowed to use the
  Despam action. Since the script must occur in the page name, it is
  pretty obvious when viewing that the page is suspicious (but this might
  be why someone was using the Despam action in the first place). There is
  also a limit on the length of the page name.
Assigned-to
jdstrand
Package
Source: moin (LP Ubuntu Debian)
Upstream:pending (1.9.3)
Patches:
Debdiff:https://launchpad.net/bugs/538022
More Information

Valid XHTML 1.0 Strict

Updated: 2015-07-29 20:38:03 UTC (commit 9756)