PublicDateAtUSN: 2016-11-10
Candidate: CVE-2016-7148
PublicDate: 2016-11-10 17:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7148
 https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html
 https://ubuntu.com/security/notices/USN-3137-1
Description:
 MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection"
 attacks by using the "page creation" approach, related to a "Cross Site
 Scripting (XSS)" issue affecting the action=AttachFile (via page name)
 component.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844341
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]

Patches_moin:
 upstream: http://hg.moinmo.in/moin/1.9/rev/eceb70c41ecc
upstream_moin: released (1.9.9)
precise_moin: not-affected (code not present)
trusty_moin: not-affected (code not present)
trusty/esm_moin: DNE (trusty was not-affected [code not present])
vivid/stable-phone-overlay_moin: DNE
vivid/ubuntu-core_moin: DNE
xenial_moin: released (1.9.8-1ubuntu1.16.04.1)
esm-infra/xenial_moin: released (1.9.8-1ubuntu1.16.04.1)
yakkety_moin: released (1.9.8-1ubuntu1.16.10.1)
devel_moin: released (1.9.8-1ubuntu2)