Your submission was sent successfully! Close

CVE-2010-0828

Published: 30 March 2010

Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users to inject arbitrary web script or HTML by creating a page with a crafted URI.

Priority

Low

Status

Package Release Status
moin
Launchpad, Ubuntu, Debian
dapper
Released (1.5.2-1ubuntu2.6)
hardy
Released (1.5.8-5.1ubuntu2.4)
intrepid
Released (1.7.1-1ubuntu1.5)
jaunty
Released (1.8.2-2ubuntu2.3)
karmic
Released (1.8.4-1ubuntu1.2)
upstream Pending
(1.9.3)

Notes

AuthorNote
jdstrand
XSS in Despam page
The page name is not escaped in the revert_pages() function in
Despam.py. It appears only privileged users are allowed to use the
Despam action. Since the script must occur in the page name, it is
pretty obvious when viewing that the page is suspicious (but this might
be why someone was using the Despam action in the first place). There is
also a limit on the length of the page name.

References

Bugs