MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation" approach, related to a "Cross Site Scripting (XSS)" issue affecting the action=AttachFile (via page name) component. XSS 1: Persistent XSS (CVE-2016-7148) A page name is echoed in the attach file page without encoding, leading to persistent XSS. XSS 2: Persistent XSS (CVE-2016-7146) Description: The GUI editor is vulnerable to XSS via a specifically crafted URL, as it echoes part of the URL without encoding in two different places. The issue can be exploited reflected or persistent. External References: https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html
Created moin tracking bugs for this issue: Affects: fedora-all [bug 1394685] Affects: epel-all [bug 1394686]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.