Bug 238722

Summary: CVE-2007-2423: moin <= 1.5.7 XSS
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: moinAssignee: Matthias Saou <matthias>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: fedora-security-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2423
Whiteboard:
Fixed In Version: 1.5.7-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-07 13:13:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2007-05-02 15:58:11 UTC 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2423

"Cross-site scripting (XSS) vulnerability in index.php in MoinMoin 1.5.7 allows
remote attackers to inject arbitrary web script or HTML via the do parameter in
an AttachFile action, a different vulnerability than CVE-2007-0857."
Comment 1 Matthias Saou 2007-05-04 12:58:22 UTC 
And once again, no patch to be found anywhere... not to mention half the reports
mentionning "PHP" or "index.php" vulnerability... *sigh*
Comment 2 Matthias Saou 2007-05-07 13:13:16 UTC 
Debian has a really great MoinMoin package, and seems to track upstream really
closely.

I've reviewed, included and tested 4 security patches from Debian, which should
fix CVE-2007-0857, CVE-2007-0901, CVE-2007-0902 and CVE-2007-2423 (and other
security bugs too).

I've updated F7,6,5 and EL5,4 branches (all current).