Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 177604 - www-apps/moinmoin XSS (CVE-2007-2423)
Summary: www-apps/moinmoin XSS (CVE-2007-2423)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa] jaervosz
Keywords:
Depends on:
Blocks: 170866
  Show dependency tree
 
Reported: 2007-05-08 09:43 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-06-07 21:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-08 09:43:51 UTC 
Cross-site scripting (XSS) vulnerability in index.php in MoinMoin 1.5.7 allows remote attackers to inject arbitrary web script or HTML via the do parameter in an AttachFile action, a different vulnerability than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-19 22:40:00 UTC 
www-apps please advise.
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2007-05-28 00:51:15 UTC 
This may have been fixed in 1.5.8:  http://moinmoin.wikiwikiweb.de/MoinMoinRelease1.5/CHANGES , which is in the tree.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-28 06:35:58 UTC 
Thx Renat.

Arches please test and mark stable. Target keywords are:

moinmoin-1.5.8.ebuild:KEYWORDS="amd64 ppc sparc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-05-31 10:36:42 UTC 
web-apps: "dodoc: ChangeLog does not exist"

x86 stable
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-31 12:44:09 UTC 
sparc stable.
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2007-05-31 22:02:59 UTC 
amd64 stable
Comment 7 nixnut (RETIRED) gentoo-dev 2007-06-02 20:44:20 UTC 
Stable on ppc.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-03 06:19:47 UTC 
This one is ready for GLSA decision. I vote NO.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-07 21:20:37 UTC 
No too, such a common vuln. Closing without glsa, feel free to reopen if you disagree