3.5 - CVE-2010-0828

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Informations
Name	CVE-2010-0828	First vendor Publication	2010-04-05
Vendor	Cve	Last vendor Modification	2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Cvss Base Score	3.5	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	6.8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users to inject arbitrary web script or HTML by creating a page with a crafted URI.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0828

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18244

Oval ID:	oval:org.mitre.oval:def:18244
Title:	DSA-2024-1 moin - cross-site scripting
Description:	Jamie Strandboge discovered that moin, a python clone of WikiWiki, does not sufficiently sanitise the page name in "Despam" action, allowing remote attackers to perform cross-site scripting (XSS) attacks.
Family:	unix	Class:	patch
Reference(s):	DSA-2024-1 CVE-2010-0828	Version:	7
Platform(s):	Debian GNU/Linux 5.0	Product(s):	moin
Definition Synopsis:
Debian GNU/Linux 5.0 is installed AND moin DPKG is earlier than 1.7.1-3+lenny4

Definition Id: oval:org.mitre.oval:def:7093

Oval ID:	oval:org.mitre.oval:def:7093
Title:	DSA-2024 moin -- insufficient input sanitising
Description:	Jamie Strandboge discovered that moin, a python clone of WikiWiki, does not sufficiently sanitise the page name in "Despam" action, allowing remote attackers to perform cross-site scripting attacks. In addition, this update fixes a minor issue in the "textcha" protection, it could be trivially bypassed by blanking the "textcha-question" and "textcha-answer" form fields.
Family:	unix	Class:	patch
Reference(s):	DSA-2024 CVE-2010-0828	Version:	5
Platform(s):	Debian GNU/Linux 5.0	Product(s):	moin
Definition Synopsis:
Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND python-moinmoin is earlier than 1.7.1-3+lenny4

CPE : Common Platform Enumeration

Type	Description	Count
Application	Moinmo Moinmoin cpe:2.3:a:moinmo:moinmoin:1.9.2:::::::* cpe:2.3:a:moinmo:moinmoin:1.8.7:::::::*	2

OpenVAS Exploits

Date	Description
2012-10-22	Name : Gentoo Security Advisory GLSA 201210-02 (MoinMoin) File : nvt/glsa_201210_02.nasl
2011-01-24	Name : FreeBSD Ports: moinmoin File : nvt/freebsd_moinmoin6.nasl
2010-06-18	Name : Fedora Update for moin FEDORA-2010-9857 File : nvt/gb_fedora_2010_9857_moin_fc12.nasl
2010-06-18	Name : Fedora Update for moin FEDORA-2010-9876 File : nvt/gb_fedora_2010_9876_moin_fc11.nasl
2010-04-13	Name : MoinMoin Wiki Security Bypass Vulnerability File : nvt/gb_moinmoin_wiki_bypass_vuln.nasl
2010-04-13	Name : MoinMoin 'Despam' Action Cross-Site Scripting Vulnerability File : nvt/gb_moinmoin_wiki_xss_vuln.nasl
2010-04-09	Name : Fedora Update for moin FEDORA-2010-6012 File : nvt/gb_fedora_2010_6012_moin_fc11.nasl
2010-04-09	Name : Fedora Update for moin FEDORA-2010-6134 File : nvt/gb_fedora_2010_6134_moin_fc12.nasl
2010-04-09	Name : Ubuntu Update for moin vulnerabilities USN-925-1 File : nvt/gb_ubuntu_USN_925_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
63362	MoinMoin Despam.py Page Name XSS MoinMoin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the page name upon submission to the Despam.py script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Description

63362

MoinMoin Despam.py Page Name XSS

MoinMoin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the page name upon submission to the Despam.py script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Nessus® Vulnerability Scanner

Date	Description
2012-10-19	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201210-02.nasl - Type : ACT_GATHER_INFO
2011-01-19	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_4c0173451d8911e0bbee0014a5e3cda6.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-6012.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-6134.nasl - Type : ACT_GATHER_INFO
2010-07-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-6180.nasl - Type : ACT_GATHER_INFO
2010-04-09	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-925-1.nasl - Type : ACT_GATHER_INFO
2010-04-01	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2024.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575995
http://hg.moinmo.in/moin/1.9/rev/6e603e5411ca
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038490.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038574.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038706.html
http://secunia.com/advisories/39188
http://secunia.com/advisories/39190
http://secunia.com/advisories/39267
http://secunia.com/advisories/39284
http://www.debian.org/security/2010/dsa-2024
http://www.securityfocus.com/bid/39110
http://www.ubuntu.com/usn/USN-925-1
http://www.vupen.com/english/advisories/2010/0767
http://www.vupen.com/english/advisories/2010/0831
http://www.vupen.com/english/advisories/2010/0834
https://bugs.launchpad.net/ubuntu/+source/moin/+bug/538022
https://bugzilla.redhat.com/show_bug.cgi?id=578801
https://exchange.xforce.ibmcloud.com/vulnerabilities/57435

Source	Url

Alert History

If you want to see full details history, please login or register.

Date	Informations
2024-11-28 23:08:53	Multiple Updates
2024-11-28 12:21:20	Multiple Updates
2021-05-04 12:11:17	Multiple Updates
2021-04-22 01:11:47	Multiple Updates
2020-05-23 00:25:23	Multiple Updates
2017-08-17 09:22:56	Multiple Updates
2016-04-26 19:37:47	Multiple Updates
2014-02-17 10:54:12	Multiple Updates
2013-05-10 23:19:38	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	2
CPE ID(s)	2
Sources(s)	18
osvdb(s)	1
Openvas Exploit(s)	9
Nessus® Exploit(s)	7

	Related
7.5	GLSA-201210-02
5	USN-925-1
5	DSA-2024
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 3 more Alert(s)