"Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before 1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4) LocalSiteMap action." The upstream changes are visible here: http://hg.thinkmo.de/moin/1.5?fl=28eb59256911;file=docs/CHANGES However, LikePages was missed, and the upstream LocalSiteMap fix appears to be incomplete. Attached is the patch I'm using in Ubuntu.
Issue was reported by Kees Cook. web-apps please advise.
is this fixed properly in 1.5.8?
moin-1.5.7/debian/patches/00829_SECURITY_FIX_XSS_in_AttachFile_do_parameter.patch seems to have been applied in 1.5.8 so I would say so.
Let's handle stable marking of 1.5.8 on bug #177604
Seems that we had forgotten this one :) Now that 1.5.8 is stable, it's time for glsa decision. I vote NO.
Voting NO and closing.