Executive Summary
Summary | |
---|---|
Title | New moin packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-1514 | First vendor Publication | 2008-03-09 |
Vendor | Debian | Last vendor Modification | 2008-03-09 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5.8 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-2423 A cross-site-scripting vulnerability has been discovered in attachment handling. CVE-2007-2637 Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure. CVE-2008-0780 A cross-site-scripting vulnerability has been discovered in the login code. CVE-2008-0781 A cross-site-scripting vulnerability has been discovered in attachment handling. CVE-2008-0782 A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files. CVE-2008-1098 Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages. CVE-2008-1099 The macro code validates access control lists insufficiently, which could lead to information disclosure. For the stable distribution (etch), these problems have been fixed in version 1.5.3-1.2etch1. This update also includes a bugfix wrt the encoding of password reminder mails, which doesn't have security implications. The old stable distribution (sarge) will not be updated due to the many changes and support for Sarge ending end of this month anyway. You're advised to upgrade to the stable distribution if you run moinmoin. We recommend that you upgrade your moin package. |
Original Source
Url : http://www.debian.org/security/2008/dsa-1514 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
60 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
20 % | CWE-264 | Permissions, Privileges, and Access Controls |
20 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18640 | |||
Oval ID: | oval:org.mitre.oval:def:18640 | ||
Title: | DSA-1514-1 moin | ||
Description: | Several remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1514-1 CVE-2007-2423 CVE-2007-2637 CVE-2008-0780 CVE-2008-0781 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7891 | |||
Oval ID: | oval:org.mitre.oval:def:7891 | ||
Title: | DSA-1514 moin -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: A cross-site-scripting vulnerability has been discovered in attachment handling. Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure. A cross-site-scripting vulnerability has been discovered in the login code. A cross-site-scripting vulnerability has been discovered in attachment handling. A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files. Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages. The macro code validates access control lists insufficiently, which could lead to information disclosure. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1514 CVE-2007-2423 CVE-2007-2637 CVE-2008-0780 CVE-2008-0781 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moin |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-07-29 | Name : Fedora Core 10 FEDORA-2009-7761 (moin) File : nvt/fcore_2009_7761.nasl |
2009-06-23 | Name : Fedora Core 10 FEDORA-2009-6557 (moin) File : nvt/fcore_2009_6557.nasl |
2009-06-23 | Name : Fedora Core 9 FEDORA-2009-6559 (moin) File : nvt/fcore_2009_6559.nasl |
2009-04-28 | Name : Fedora Core 9 FEDORA-2009-3845 (moin) File : nvt/fcore_2009_3845.nasl |
2009-04-28 | Name : Fedora Core 10 FEDORA-2009-3868 (moin) File : nvt/fcore_2009_3868.nasl |
2009-03-23 | Name : Ubuntu Update for moin vulnerabilities USN-458-1 File : nvt/gb_ubuntu_USN_458_1.nasl |
2009-02-17 | Name : Fedora Update for moin FEDORA-2008-3301 File : nvt/gb_fedora_2008_3301_moin_fc8.nasl |
2009-02-17 | Name : Fedora Update for moin FEDORA-2008-3328 File : nvt/gb_fedora_2008_3328_moin_fc7.nasl |
2009-02-16 | Name : Fedora Update for moin FEDORA-2008-1880 File : nvt/gb_fedora_2008_1880_moin_fc7.nasl |
2009-02-16 | Name : Fedora Update for moin FEDORA-2008-1905 File : nvt/gb_fedora_2008_1905_moin_fc8.nasl |
2009-02-02 | Name : Ubuntu USN-716-1 (moin) File : nvt/ubuntu_716_1.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-27 (moinmoin) File : nvt/glsa_200803_27.nasl |
2008-09-04 | Name : FreeBSD Ports: moinmoin File : nvt/freebsd_moinmoin1.nasl |
2008-03-11 | Name : Debian Security Advisory DSA 1514-1 (moin) File : nvt/deb_1514_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
57321 | MoinMoin rst Markup Include Directive ACL Bypass |
43147 | MoinMoin PageEditor.py Multiple Parameter XSS |
43146 | MoinMoin formatter/text_gedit.py XSS |
43145 | MoinMoin wikimacro.py _macro_Getval Remote Information Disclosure |
41780 | MoinMoin MOIN_ID Cookie userform Action Traversal Arbitrary File Overwrite |
41779 | MoinMoin action/AttachFile.py Multiple Parameter XSS |
41778 | MoinMoin Login Action XSS |
36567 | MoinMoin index.php AttachFile Action do Parameter XSS |
36269 | MoinMoin MonthCalendar Day Page ACL Bypass |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3868.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-716-1.nasl - Type : ACT_GATHER_INFO |
2009-04-22 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3845.nasl - Type : ACT_GATHER_INFO |
2008-05-01 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3301.nasl - Type : ACT_GATHER_INFO |
2008-05-01 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3328.nasl - Type : ACT_GATHER_INFO |
2008-03-19 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-27.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1514.nasl - Type : ACT_GATHER_INFO |
2008-02-26 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f113bbebe3ac11dcbb89000bcdc1757a.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1880.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1905.nasl - Type : ACT_GATHER_INFO |
2008-01-24 | Name : The remote web server contains a Python application that suffers from an inpu... File : moinmoin_cookie_id.nasl - Type : ACT_ATTACK |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-458-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:27:25 |
|