Launchpad.net

CVE 2008-1098

Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.5.8 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) certain input processed by formatter/text_gedit.py (aka the gui editor formatter); (2) a page name, which triggers an injection in PageEditor.py when the page is successfully deleted by a victim in a DeletePage action; or (3) the destination page name for a RenamePage action, which triggers an injection in PageEditor.py when a victim's rename attempt fails because of a duplicate name. NOTE: the AttachFile XSS issue is already covered by CVE-2008-0781, and the login XSS issue is already covered by CVE-2008-0780.

Related bugs and status

CVE-2008-1098 (Candidate) is related to these bugs:

Bug #200897: [moin] [DSA-1514-1] multiple vulnerabilities

		In	Importance	Status
200897	[moin] [DSA-1514-1] multiple vulnerabilities	moin (Ubuntu)	Undecided	Invalid
200897	[moin] [DSA-1514-1] multiple vulnerabilities	moin (Ubuntu Intrepid)	Undecided	Invalid
200897	[moin] [DSA-1514-1] multiple vulnerabilities	moin (Ubuntu Jaunty)	Undecided	Invalid
200897	[moin] [DSA-1514-1] multiple vulnerabilities	moin (Ubuntu Dapper)	Undecided	Fix Released
200897	[moin] [DSA-1514-1] multiple vulnerabilities	moin (Ubuntu Gutsy)	Undecided	Fix Released
200897	[moin] [DSA-1514-1] multiple vulnerabilities	moin (Ubuntu Hardy)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://hg.moinmo.in/mo...
CONFIRM: http://hg.moinmo.in/mo...
CONFIRM: http://moinmo.in/Secur...
DEBIAN: DSA-1514
BID: 28173
SECUNIA: 29262
GENTOO: GLSA-200803-27
SECUNIA: 29444
FEDORA: FEDORA-2008-3301
FEDORA: FEDORA-2008-3328
SECUNIA: 30031
SECUNIA: 33755
XF: moinmoin-multiple-acti...
UBUNTU: USN-716-1