CVE-2010-0828

Published: 30 March 2010

Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users to inject arbitrary web script or HTML by creating a page with a crafted URI.

Priority

Low

Status

Package Release Status
moin
Launchpad, Ubuntu, Debian
Upstream Pending
(1.9.3)
Patches:
Debdiff: https://launchpad.net/bugs/538022

Notes

AuthorNote
jdstrand
XSS in Despam page
The page name is not escaped in the revert_pages() function in
Despam.py. It appears only privileged users are allowed to use the
Despam action. Since the script must occur in the page name, it is
pretty obvious when viewing that the page is suspicious (but this might
be why someone was using the Despam action in the first place). There is
also a limit on the length of the page name.

References

Bugs