Bug 1394684 (CVE-2016-7146, CVE-2016-7148)

Summary: CVE-2016-7146 CVE-2016-7148 moin: Javascript injection via page creation
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, imlinux+fedora, ivazqueznet, vpvainio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moin 1.9.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:02:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1394685, 1394686    
Bug Blocks:    

Description Andrej Nemec 2016-11-14 08:59:40 UTC 
MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript
injection" attacks by using the "page creation" approach, related to a
"Cross Site Scripting (XSS)" issue affecting the action=AttachFile (via
page name) component.

XSS 1: Persistent XSS (CVE-2016-7148)
A page name is echoed in the attach file page without encoding, leading to persistent XSS. 

XSS 2: Persistent XSS (CVE-2016-7146)
Description: The GUI editor is vulnerable to XSS via a specifically crafted URL, as it echoes part of the URL without encoding in two different places. The issue can be exploited reflected or persistent.

External References:

https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html
Comment 1 Andrej Nemec 2016-11-14 09:02:05 UTC 
Created moin tracking bugs for this issue:

Affects: fedora-all [bug 1394685]
Affects: epel-all [bug 1394686]
Comment 2 Product Security DevOps Team 2019-06-08 03:02:01 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.