Miggo Logo

CVE-2012-6081: MoinMoin Multiple unrestricted file upload vulnerabilities

6.2

CVSS Score
3.1

Basic Information

EPSS Score
0.98856%
Published
5/17/2022
Updated
9/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:F
Package NameEcosystemVulnerable VersionsFirst Patched Version
moinpip< 1.9.61.9.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies the twikidraw and anywikidraw actions (implemented in action/twikidraw.py and action/anywikidraw.py) as the source of unrestricted file uploads. The security fix commit (hg.moinmo.in/moin/1.9/rev/7e7e1cbb9d3f) targets these components, and multiple references (including CVE-2012-6081 details) confirm the save() methods in these classes failed to sanitize file paths/names, leading to arbitrary code execution. The exploit requires authenticated users with write permissions, aligning with the functions' role in handling file uploads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* unr*stri*t** *il* uplo** vuln*r**iliti*s in t** (*) twiki*r*w (`**tion/twiki*r*w.py`) *n* (*) *nywiki*r*w (`**tion/*nywiki*r*w.py`) **tions in MoinMoin ***or* *.*.* *llow r*mot* *ut**nti**t** us*rs wit* writ* p*rmissions to *x**ut* *r*itr*ry

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** twiki*r*w *n* *nywiki*r*w **tions (impl*m*nt** in `**tion/twiki*r*w.py` *n* `**tion/*nywiki*r*w.py`) *s t** sour** o* unr*stri*t** *il* uplo**s. T** s**urity *ix *ommit (`**.moinmo.in/moin/*.*/r