| 0 |
| url |
VCID-1fak-dar5-tuet |
| vulnerability_id |
VCID-1fak-dar5-tuet |
| summary |
Multiple directory traversal vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to overwrite arbitrary files via unspecified vectors. NOTE: this can be leveraged with CVE-2012-6081 to execute arbitrary code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-6495, PYSEC-2013-7
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1fak-dar5-tuet |
|
| 1 |
| url |
VCID-1kv8-4wn6-yydy |
| vulnerability_id |
VCID-1kv8-4wn6-yydy |
| summary |
MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation or crafted URL" approach, related to a "Cross Site Scripting (XSS)" issue affecting the action=fckdialog&dialog=attachment (via page name) component. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-7146, PYSEC-2016-30
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1kv8-4wn6-yydy |
|
| 2 |
| url |
VCID-2yaq-3m4p-q3bu |
| vulnerability_id |
VCID-2yaq-3m4p-q3bu |
| summary |
MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-15275, GHSA-4q96-6xhq-ff43, PYSEC-2020-241
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2yaq-3m4p-q3bu |
|
| 3 |
| url |
VCID-3z75-azrr-2qac |
| vulnerability_id |
VCID-3z75-azrr-2qac |
| summary |
Cross-site scripting (XSS) vulnerability in the rsslink function in theme/__init__.py in MoinMoin 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the page name in a rss link. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-6082, PYSEC-2013-23
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3z75-azrr-2qac |
|
| 4 |
| url |
VCID-4fn8-ab2r-23dk |
| vulnerability_id |
VCID-4fn8-ab2r-23dk |
| summary |
Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2017-5934, GHSA-42fp-4hm3-j8r7, PYSEC-2018-47
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4fn8-ab2r-23dk |
|
| 5 |
| url |
VCID-4q2t-yhg6-k3dg |
| vulnerability_id |
VCID-4q2t-yhg6-k3dg |
| summary |
Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, as exploited in the wild in July 2012. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-6081, GHSA-m2c4-jgmm-fvq3, PYSEC-2013-6
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4q2t-yhg6-k3dg |
|
| 6 |
| url |
VCID-5hn2-1bvq-jfdh |
| vulnerability_id |
VCID-5hn2-1bvq-jfdh |
| summary |
MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation" approach, related to a "Cross Site Scripting (XSS)" issue affecting the action=AttachFile (via page name) component. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-7148, PYSEC-2016-31
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5hn2-1bvq-jfdh |
|
| 7 |
| url |
VCID-h1wf-35g5-5ucz |
| vulnerability_id |
VCID-h1wf-35g5-5ucz |
| summary |
Directory traversal vulnerability in the _do_attachment_move function in the AttachFile action (action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a file name. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2012-6080, PYSEC-2013-5
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h1wf-35g5-5ucz |
|
| 8 |
| url |
VCID-kjqq-u9hy-5yda |
| vulnerability_id |
VCID-kjqq-u9hy-5yda |
| summary |
The cache action in action/cache.py in MoinMoin through 1.9.10 allows directory traversal through a crafted HTTP request. An attacker who can upload attachments to the wiki can use this to achieve remote code execution. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-25074, GHSA-52q8-877j-gghq, PYSEC-2020-67
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kjqq-u9hy-5yda |
|
| 9 |
| url |
VCID-tkp3-e758-suhx |
| vulnerability_id |
VCID-tkp3-e758-suhx |
| summary |
Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-9119, PYSEC-2017-20
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tkp3-e758-suhx |
|