Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0260 to the following vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin before 1.8.1 allow remote attackers to inject arbitrary web script or HTML via an AttachFile action to the WikiSandBox component with (1) the rename parameter or (2) the drawing parameter (aka the basename variable). Fixed upstream in 1.7.3 and 1.8.1. Upstream patch (1.7.x and 1.8.x): http://hg.moinmo.in/moin/1.7/rev/8cb4d34ccbc1 http://hg.moinmo.in/moin/1.8/rev/8cb4d34ccbc1 References: http://moinmo.in/SecurityFixes#moin1.8.1 http://www.securityfocus.com/archive/1/archive/1/500197/100/0/threaded http://www.securityfocus.com/bid/33365 http://secunia.com/advisories/33593 http://xforce.iss.net/xforce/xfdb/48126
Both flaws seem to exist in 1.6.x as well. Upstream does not longer support 1.6 branch.
moin-1.6.4-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/moin-1.6.4-1.fc10
moin-1.6.4-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/moin-1.6.4-1.fc9
moin-1.6.4-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
moin-1.6.4-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
As the update has been pushed and it was approved by the security team, I'll close this bug. If something related to this vulnerability has not been fixed, please reopen this bug report.