{"url":"http://public2.vulnerablecode.io/api/packages/9452?format=json","purl":"pkg:pypi/moin@1.9.8","type":"pypi","namespace":"","name":"moin","version":"1.9.8","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.9.11","latest_non_vulnerable_version":"1.9.11","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35009?format=json","vulnerability_id":"VCID-1kv8-4wn6-yydy","summary":"MoinMoin 1.9.8 allows remote attackers to conduct \"JavaScript injection\" attacks by using the \"page creation or crafted URL\" approach, related to a \"Cross Site Scripting (XSS)\" issue affecting the action=fckdialog&dialog=attachment (via page name) component.","references":[{"reference_url":"https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html"},{"reference_url":"http://www.debian.org/security/2016/dsa-3715","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2016/dsa-3715"},{"reference_url":"http://www.securityfocus.com/bid/94259","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/94259"},{"reference_url":"http://www.ubuntu.com/usn/USN-3137-1","reference_id":"","reference_type":"","scores":[],"url":"http://www.ubuntu.com/usn/USN-3137-1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/9453?format=json","purl":"pkg:pypi/moin@1.9.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2yaq-3m4p-q3bu"},{"vulnerability":"VCID-4fn8-ab2r-23dk"},{"vulnerability":"VCID-kjqq-u9hy-5yda"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/moin@1.9.9"}],"aliases":["CVE-2016-7146","PYSEC-2016-30"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1kv8-4wn6-yydy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35671?format=json","vulnerability_id":"VCID-2yaq-3m4p-q3bu","summary":"MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes.","references":[{"reference_url":"https://advisory.checkmarx.net/advisory/CX-2020-4285","reference_id":"","reference_type":"","scores":[],"url":"https://advisory.checkmarx.net/advisory/CX-2020-4285"},{"reference_url":"https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/moinwiki/moin-1.9/commit/31de9139d0aabc171e94032168399b4a0b2a88a2"},{"reference_url":"https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/moinwiki/moin-1.9/releases/tag/1.9.11"},{"reference_url":"https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18962?format=json","purl":"pkg:pypi/moin@1.9.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/moin@1.9.11"}],"aliases":["CVE-2020-15275","GHSA-4q96-6xhq-ff43","PYSEC-2020-241"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2yaq-3m4p-q3bu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35273?format=json","vulnerability_id":"VCID-4fn8-ab2r-23dk","summary":"Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00024.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00024.html"},{"reference_url":"http://moinmo.in/SecurityFixes","reference_id":"","reference_type":"","scores":[],"url":"http://moinmo.in/SecurityFixes"},{"reference_url":"https://github.com/advisories/GHSA-42fp-4hm3-j8r7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-42fp-4hm3-j8r7"},{"reference_url":"https://github.com/moinwiki/moin-1.9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/moinwiki/moin-1.9"},{"reference_url":"https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/moin/PYSEC-2018-47.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/moin/PYSEC-2018-47.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/10/msg00007.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2018/10/msg00007.html"},{"reference_url":"https://usn.ubuntu.com/3794-1","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3794-1"},{"reference_url":"https://usn.ubuntu.com/3794-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3794-1/"},{"reference_url":"https://www.debian.org/security/2018/dsa-4318","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2018/dsa-4318"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-5934","reference_id":"CVE-2017-5934","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-5934"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/12310?format=json","purl":"pkg:pypi/moin@1.9.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2yaq-3m4p-q3bu"},{"vulnerability":"VCID-kjqq-u9hy-5yda"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/moin@1.9.10"}],"aliases":["CVE-2017-5934","GHSA-42fp-4hm3-j8r7","PYSEC-2018-47"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4fn8-ab2r-23dk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35010?format=json","vulnerability_id":"VCID-5hn2-1bvq-jfdh","summary":"MoinMoin 1.9.8 allows remote attackers to conduct \"JavaScript injection\" attacks by using the \"page creation\" approach, related to a \"Cross Site Scripting (XSS)\" issue affecting the action=AttachFile (via page name) component.","references":[{"reference_url":"https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html","reference_id":"","reference_type":"","scores":[],"url":"https://www.curesec.com/blog/article/blog/MoinMoin-198-XSS-175.html"},{"reference_url":"http://www.debian.org/security/2016/dsa-3715","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2016/dsa-3715"},{"reference_url":"http://www.securityfocus.com/bid/94259","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/94259"},{"reference_url":"http://www.ubuntu.com/usn/USN-3137-1","reference_id":"","reference_type":"","scores":[],"url":"http://www.ubuntu.com/usn/USN-3137-1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/9453?format=json","purl":"pkg:pypi/moin@1.9.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2yaq-3m4p-q3bu"},{"vulnerability":"VCID-4fn8-ab2r-23dk"},{"vulnerability":"VCID-kjqq-u9hy-5yda"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/moin@1.9.9"}],"aliases":["CVE-2016-7148","PYSEC-2016-31"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5hn2-1bvq-jfdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35670?format=json","vulnerability_id":"VCID-kjqq-u9hy-5yda","summary":"The cache action in action/cache.py in MoinMoin through 1.9.10 allows directory traversal through a crafted HTTP request. An attacker who can upload attachments to the wiki can use this to achieve remote code execution.","references":[{"reference_url":"http://moinmo.in/SecurityFixes","reference_id":"","reference_type":"","scores":[],"url":"http://moinmo.in/SecurityFixes"},{"reference_url":"https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-52q8-877j-gghq","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-52q8-877j-gghq"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00020.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00020.html"},{"reference_url":"https://www.debian.org/security/2020/dsa-4787","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2020/dsa-4787"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18962?format=json","purl":"pkg:pypi/moin@1.9.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/moin@1.9.11"}],"aliases":["CVE-2020-25074","GHSA-52q8-877j-gghq","PYSEC-2020-67"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kjqq-u9hy-5yda"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35019?format=json","vulnerability_id":"VCID-tkp3-e758-suhx","summary":"Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.","references":[{"reference_url":"https://moinmo.in/SecurityFixes","reference_id":"","reference_type":"","scores":[],"url":"https://moinmo.in/SecurityFixes"},{"reference_url":"http://www.debian.org/security/2016/dsa-3715","reference_id":"","reference_type":"","scores":[],"url":"http://www.debian.org/security/2016/dsa-3715"},{"reference_url":"http://www.securityfocus.com/bid/94501","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/94501"},{"reference_url":"http://www.ubuntu.com/usn/USN-3137-1","reference_id":"","reference_type":"","scores":[],"url":"http://www.ubuntu.com/usn/USN-3137-1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/9452?format=json","purl":"pkg:pypi/moin@1.9.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1kv8-4wn6-yydy"},{"vulnerability":"VCID-2yaq-3m4p-q3bu"},{"vulnerability":"VCID-4fn8-ab2r-23dk"},{"vulnerability":"VCID-5hn2-1bvq-jfdh"},{"vulnerability":"VCID-kjqq-u9hy-5yda"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/moin@1.9.8"}],"aliases":["CVE-2016-9119","PYSEC-2017-20"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tkp3-e758-suhx"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/moin@1.9.8"}