Vulnerability CVE-2017-5934

Vulnerability Name:

CVE-2017-5934 (CCN-151705)

Assigned:

2017-02-08

Published:

2018-09-09

Updated:

2018-11-29

Summary:

Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2017-5934

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2018:3105

Source: CONFIRM
Type: Release Notes, Vendor Advisory
http://moinmo.in/SecurityFixes

Source: XF
Type: UNKNOWN
moinmoin-cve20175934-xss(151705)

Source: CCN
Type: MoinMoin GIT Repository
security fix for CVE-2017-5934, XSS in GUI editor related code

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20181015 [SECURITY] [DLA 1546-1] moin security update

Source: UBUNTU
Type: Third Party Advisory
USN-3794-1

Source: DEBIAN
Type: Third Party Advisory
DSA-4318

Vulnerable Configuration:

Configuration 1:

cpe:/a:moinmo:moinmoin:*:*:*:*:*:*:*:* (Version < 1.9.10)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.0:*:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:42.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20175934	V	CVE-2017-5934	2021-10-24
oval:com.ubuntu.xenial:def:201759340000000	V	CVE-2017-5934 on Ubuntu 16.04 LTS (xenial) - medium.	2018-10-15
oval:com.ubuntu.bionic:def:20175934000	V	CVE-2017-5934 on Ubuntu 18.04 LTS (bionic) - medium.	2018-10-15
oval:com.ubuntu.disco:def:201759340000000	V	CVE-2017-5934 on Ubuntu 19.04 (disco) - medium.	2018-10-15
oval:com.ubuntu.cosmic:def:20175934000	V	CVE-2017-5934 on Ubuntu 18.10 (cosmic) - medium.	2018-10-15
oval:com.ubuntu.cosmic:def:201759340000000	V	CVE-2017-5934 on Ubuntu 18.10 (cosmic) - medium.	2018-10-15
oval:com.ubuntu.trusty:def:20175934000	V	CVE-2017-5934 on Ubuntu 14.04 LTS (trusty) - medium.	2018-10-15
oval:com.ubuntu.bionic:def:201759340000000	V	CVE-2017-5934 on Ubuntu 18.04 LTS (bionic) - medium.	2018-10-15
oval:com.ubuntu.xenial:def:20175934000	V	CVE-2017-5934 on Ubuntu 16.04 LTS (xenial) - medium.	2018-10-15

BACK