blob: bea788162d19233d1222bcc642ff416c495a1b53 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200803-27">
<title>MoinMoin: Multiple vulnerabilities</title>
Several vulnerabilities have been reported in MoinMoin Wiki Engine.
<product type="ebuild">moinmoin</product>
<announced>March 18, 2008</announced>
<revised>March 18, 2008: 01</revised>
<package name="www-apps/moinmoin" auto="yes" arch="*">
<unaffected range="ge">1.6.1</unaffected>
<vulnerable range="lt">1.6.1</vulnerable>
MoinMoin is an advanced, easy to use and extensible Wiki Engine.
Multiple vulnerabilities have been discovered:
A vulnerability exists in the file because the
_macro_Getval function does not properly enforce ACLs
A directory traversal vulnerability exists in the userform action
A Cross-Site Scripting vulnerability exists in the login action
Multiple Cross-Site Scripting vulnerabilities exist in the file
action/ when using the message, pagename, and target
filenames (CVE-2008-0781).</li>
Multiple Cross-Site Scripting vulnerabilities exist in
formatter/ (aka the gui editor formatter) which can be
exploited via a page name or destination page name, which trigger an
injection in the file (CVE-2008-1098).
<impact type="normal">
These vulnerabilities can be exploited to allow remote attackers to
inject arbitrary web script or HTML, overwrite arbitrary files, or read
protected pages.
There is no known workaround at this time.
All MoinMoin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=www-apps/moinmoin-1.6.1&quot;</code>
<uri link="">CVE-2008-0780</uri>
<uri link="">CVE-2008-0781</uri>
<uri link="">CVE-2008-0782</uri>
<uri link="">CVE-2008-1098</uri>
<uri link="">CVE-2008-1099</uri>
<metadata tag="requester" timestamp="Tue, 26 Feb 2008 09:02:13 +0000">
<metadata tag="bugReady" timestamp="Tue, 26 Feb 2008 09:03:06 +0000">
<metadata tag="submitter" timestamp="Sat, 15 Mar 2008 19:53:09 +0000">