Executive Summary
Summary | |
---|---|
Title | MoinMoin: Multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | GLSA-200803-27 | First vendor Publication | 2008-03-18 |
Vendor | Gentoo | Last vendor Modification | 2008-03-18 |
Severity (Vendor) | Normal | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Several vulnerabilities have been reported in MoinMoin Wiki Engine. Background Description * A vulnerability exists in the file wikimacro.py because the _macro_Getval function does not properly enforce ACLs (CVE-2008-1099). * A directory traversal vulnerability exists in the userform action (CVE-2008-0782). * A Cross-Site Scripting vulnerability exists in the login action (CVE-2008-0780). * Multiple Cross-Site Scripting vulnerabilities exist in the file action/AttachFile.py when using the message, pagename, and target filenames (CVE-2008-0781). * Multiple Cross-Site Scripting vulnerabilities exist in formatter/text_gedit.py (aka the gui editor formatter) which can be exploited via a page name or destination page name, which trigger an injection in the file PageEditor.py (CVE-2008-1098). Impact Workaround Resolution References Availability http://security.gentoo.org/glsa/glsa-200803-27.xml |
Original Source
Url : http://security.gentoo.org/glsa/glsa-200803-27.xml |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
60 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
20 % | CWE-264 | Permissions, Privileges, and Access Controls |
20 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18640 | |||
Oval ID: | oval:org.mitre.oval:def:18640 | ||
Title: | DSA-1514-1 moin | ||
Description: | Several remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1514-1 CVE-2007-2423 CVE-2007-2637 CVE-2008-0780 CVE-2008-0781 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7891 | |||
Oval ID: | oval:org.mitre.oval:def:7891 | ||
Title: | DSA-1514 moin -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in MoinMoin, a Python clone of WikiWiki. The Common Vulnerabilities and Exposures project identifies the following problems: A cross-site-scripting vulnerability has been discovered in attachment handling. Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure. A cross-site-scripting vulnerability has been discovered in the login code. A cross-site-scripting vulnerability has been discovered in attachment handling. A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files. Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages. The macro code validates access control lists insufficiently, which could lead to information disclosure. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1514 CVE-2007-2423 CVE-2007-2637 CVE-2008-0780 CVE-2008-0781 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moin |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-07-29 | Name : Fedora Core 10 FEDORA-2009-7761 (moin) File : nvt/fcore_2009_7761.nasl |
2009-06-23 | Name : Fedora Core 10 FEDORA-2009-6557 (moin) File : nvt/fcore_2009_6557.nasl |
2009-06-23 | Name : Fedora Core 9 FEDORA-2009-6559 (moin) File : nvt/fcore_2009_6559.nasl |
2009-04-28 | Name : Fedora Core 9 FEDORA-2009-3845 (moin) File : nvt/fcore_2009_3845.nasl |
2009-04-28 | Name : Fedora Core 10 FEDORA-2009-3868 (moin) File : nvt/fcore_2009_3868.nasl |
2009-02-17 | Name : Fedora Update for moin FEDORA-2008-3301 File : nvt/gb_fedora_2008_3301_moin_fc8.nasl |
2009-02-17 | Name : Fedora Update for moin FEDORA-2008-3328 File : nvt/gb_fedora_2008_3328_moin_fc7.nasl |
2009-02-16 | Name : Fedora Update for moin FEDORA-2008-1880 File : nvt/gb_fedora_2008_1880_moin_fc7.nasl |
2009-02-16 | Name : Fedora Update for moin FEDORA-2008-1905 File : nvt/gb_fedora_2008_1905_moin_fc8.nasl |
2009-02-02 | Name : Ubuntu USN-716-1 (moin) File : nvt/ubuntu_716_1.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-27 (moinmoin) File : nvt/glsa_200803_27.nasl |
2008-09-04 | Name : FreeBSD Ports: moinmoin File : nvt/freebsd_moinmoin1.nasl |
2008-03-11 | Name : Debian Security Advisory DSA 1514-1 (moin) File : nvt/deb_1514_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
43147 | MoinMoin PageEditor.py Multiple Parameter XSS |
43146 | MoinMoin formatter/text_gedit.py XSS |
43145 | MoinMoin wikimacro.py _macro_Getval Remote Information Disclosure |
41780 | MoinMoin MOIN_ID Cookie userform Action Traversal Arbitrary File Overwrite |
41779 | MoinMoin action/AttachFile.py Multiple Parameter XSS |
41778 | MoinMoin Login Action XSS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3868.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-716-1.nasl - Type : ACT_GATHER_INFO |
2009-04-22 | Name : The remote Fedora host is missing a security update. File : fedora_2009-3845.nasl - Type : ACT_GATHER_INFO |
2008-05-01 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3301.nasl - Type : ACT_GATHER_INFO |
2008-05-01 | Name : The remote Fedora host is missing a security update. File : fedora_2008-3328.nasl - Type : ACT_GATHER_INFO |
2008-03-19 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-27.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1514.nasl - Type : ACT_GATHER_INFO |
2008-02-26 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_f113bbebe3ac11dcbb89000bcdc1757a.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1880.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1905.nasl - Type : ACT_GATHER_INFO |
2008-01-24 | Name : The remote web server contains a Python application that suffers from an inpu... File : moinmoin_cookie_id.nasl - Type : ACT_ATTACK |
Alert History
Date | Informations |
---|---|
2014-02-17 11:35:41 |
|