Vulnerability Name:

CVE-2008-1098 (CCN-41037)

Assigned:2007-08-28
Published:2007-08-28
Updated:2018-10-03
Summary:Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.5.8 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) certain input processed by formatter/text_gedit.py (aka the gui editor formatter); (2) a page name, which triggers an injection in PageEditor.py when the page is successfully deleted by a victim in a DeletePage action; or (3) the destination page name for a RenamePage action, which triggers an injection in PageEditor.py when a victim's rename attempt fails because of a duplicate name.
Note: the AttachFile XSS issue is already covered by CVE-2008-0781, and the login XSS issue is already covered by CVE-2008-0780.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2008-1098

Source: CONFIRM
Type: Exploit
http://hg.moinmo.in/moin/1.5/rev/4ede07e792dd

Source: CCN
Type: moin/1.5 / changeset
fix gui editor formatter XSS issues

Source: CONFIRM
Type: UNKNOWN
http://hg.moinmo.in/moin/1.5/rev/d0152eeb4499

Source: CCN
Type: MoinMoin SecurityFixes Web site
Security Fix Announcements, moin 1.5.8

Source: CONFIRM
Type: UNKNOWN
http://moinmo.in/SecurityFixes

Source: SECUNIA
Type: UNKNOWN
29262

Source: SECUNIA
Type: UNKNOWN
29444

Source: SECUNIA
Type: UNKNOWN
30031

Source: SECUNIA
Type: UNKNOWN
33755

Source: DEBIAN
Type: UNKNOWN
DSA-1514

Source: DEBIAN
Type: DSA-1514
moin -- several vulnerabilities

Source: CCN
Type: GLSA-200803-27
MoinMoin: Multiple vulnerabilities

Source: GENTOO
Type: UNKNOWN
GLSA-200803-27

Source: BID
Type: UNKNOWN
28173

Source: CCN
Type: BID-28173
MoinMoin GUI Editor Multiple Cross Site Scripting Vulnerabilities

Source: CCN
Type: USN-716-1
MoinMoin vulnerabilities

Source: XF
Type: UNKNOWN
moinmoin-multiple-actions-xss(41037)

Source: XF
Type: UNKNOWN
moinmoin-multiple-actions-xss(41037)

Source: UBUNTU
Type: UNKNOWN
USN-716-1

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-3301

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-3328

Vulnerable Configuration:Configuration 1:
  • cpe:/a:moinmoin:moinmoin:*:*:*:*:*:*:*:* (Version <= 1.5.8)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:13561
    P
    		USN-716-1 -- moin vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:7891
    P
    		DSA-1514 moin -- several vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:18640
    P
    		DSA-1514-1 moin
    2014-06-23
    oval:org.debian:def:1514
    V
    		several vulnerabilities
    2008-03-09
    BACK
    moinmoin moinmoin *