SB2018090810 - Cross-site scripting in MoinMoin
Published: September 8, 2018 Updated: October 23, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2017-5934)
Vulnerability allows a remote attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in the link dialogue in GUI editor in MoinMoin before 1.9.10. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00024.html
- http://moinmo.in/SecurityFixes
- https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024
- https://lists.debian.org/debian-lts-announce/2018/10/msg00007.html
- https://usn.ubuntu.com/3794-1/
- https://www.debian.org/security/2018/dsa-4318