Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 334697 (CVE-2010-0667) - <=www-apps/moinmoin-1.9.2: Multiple Vulnerabilities (CVE-2010-{0667,0668,0669,0717,0828,2487})
Summary: <=www-apps/moinmoin-1.9.2: Multiple Vulnerabilities (CVE-2010-{0667,0668,0669...
Status: RESOLVED DUPLICATE of bug 305663
Alias: CVE-2010-0667
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [ebuild]
Depends on:
Reported: 2010-08-26 21:02 UTC by Tim Sammut (RETIRED)
Modified: 2010-10-13 03:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-08-26 21:02:26 UTC

MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of the sys.argv array in situations where the GATEWAY_INTERFACE environment variable is set, which allows remote attackers to obtain sensitive information via unspecified vectors.


Unspecified vulnerability in MoinMoin 1.5.x through 1.7.x, 1.8.x before 1.8.7, and 1.9.x before 1.9.2 has unknown impact and attack vectors, related to configurations that have a non-empty superuser list, the xmlrpc action enabled, the SyncPages action enabled, or OpenID configured.


MoinMoin before 1.8.7 and 1.9.x before 1.9.2 does not properly sanitize user profiles, which has unspecified impact and attack vectors.


The default configuration of cfg.packagepages_actions_excluded in MoinMoin before 1.8.7 does not prevent unsafe package actions, which has unspecified impact and attack vectors.


Cross-site scripting (XSS) vulnerability in action/ in the Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users to inject arbitrary web script or HTML by creating a page with a crafted URI.


Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, 1.8.x before 1.8.8, and 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1), (2), (3), (4) action/, (5) action/, (6) action/, (7) action/, (8) action/, (9) action/, and (10) action/
Comment 1 Tim Harder gentoo-dev 2010-10-13 00:21:37 UTC
I've added 1.8.8 to the tree which should have fixes for these security issues and 1.9.3 will be added soon.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-10-13 03:02:01 UTC

*** This bug has been marked as a duplicate of bug 305663 ***