CVE-2008-1098

Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.5.8 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) certain input processed by formatter/text_gedit.py (aka the gui editor formatter); (2) a page name, which triggers an injection in PageEditor.py when the page is successfully deleted by a victim in a DeletePage action; or (3) the destination page name for a RenamePage action, which triggers an injection in PageEditor.py when a victim's rename attempt fails because of a duplicate name. NOTE: the AttachFile XSS issue is already covered by CVE-2008-0781, and the login XSS issue is already covered by CVE-2008-0780.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
moin	8.10 intrepid	Not affected
	8.04 LTS hardy	Not affected
	7.10 gutsy	Fixed 1.5.7-3ubuntu2.1
	7.04 feisty	Ignored end of life, was needed
	6.10 edgy	Ignored end of life, was needed
	6.06 LTS dapper	Fixed 1.5.2-1ubuntu2.4

Notes

jdstrand

1.7.1 has corrected code

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
moin	Vendor: http://www.debian.org/security/2008/dsa-1514 Other: http://hg.moinmo.in/moin/1.5/rev/4ede07e792dd

Status

Notes

jdstrand

Patch details

References

Related Ubuntu Security Notices (USN)

Other references