Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1482 to the following vulnerability: Name: CVE-2009-1482 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1482 Assigned: 20090429 Reference: CONFIRM: http://hg.moinmo.in/moin/1.8/rev/5f51246a4df1 Reference: CONFIRM: http://moinmo.in/SecurityFixes Reference: BID:34631 Reference: URL: http://www.securityfocus.com/bid/34631 Reference: SECUNIA:34821 Reference: URL: http://secunia.com/advisories/34821 Reference: VUPEN:ADV-2009-1119 Reference: URL: http://www.vupen.com/english/advisories/2009/1119 Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) an AttachFile sub-action in the error_msg function or (2) multiple vectors related to package file errors in the upload_form function, different vectors than CVE-2009-0260.
This has already been fixed since 20090422 in F-11 and devel and since 20090420 in F-10 and F-9, i.e. before the new CVE number even existed. The exact patch in the CVE report is here in the Fedora CVS: http://cvs.fedoraproject.org/viewvc/rpms/moin/F-11/001_CVE-2008-0781_attach_file_XSS.patch?revision=1.1&view=markup What happened here was that I performed a sort-of security patch audit for the stable Fedora releases and Rawhide using CVE reports and Debian patches. I noticed the fix for CVE-2008-0781 had been dropped in moin 1.6 and later for some reason. I notified the upstream developers who then released the fix again for 1.7 and 1.8. Thus I'm closing this bug. If something in this CVE report hasn't been fixed after all, feel free to reopen the report.