Miggo Logo
Miggo Vulnerability Database
CVE-2016-7146

CVE-2016-7146: MoinMoin Cross-site Scripting (XSS) vulnerability

6.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-7146
GHSA ID
GHSA-fj26-q4vh-85f6
EPSS Score
0.48265%
CWE
CWE-79
Published
5/17/2022
Updated
9/27/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moinpip= 1.9.81.9.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability specifically references the 'action=fckdialog&dialog=attachment' endpoint. This endpoint handles attachment management in the FCKeditor component. The XSS occurs because user-controlled input (page name) is directly embedded into HTML responses without proper sanitization. The function responsible for rendering this dialog would be the logical point where unsanitized page names are incorporated into the UI, matching the described attack vectors (page creation and crafted URLs). Though exact code isn't available, the pattern matches common XSS vulnerabilities in web handlers that fail to escape template variables.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

MoinMoin *.*.* *llows r*mot* *tt**k*rs to *on*u*t "J*v*S*ript inj**tion" *tt**ks *y usin* t** "p*** *r**tion or *r**t** URL" *ppro***, r*l*t** to * "*ross Sit* S*riptin* (XSS)" issu* *****tin* t** `**tion=**k*i*lo*&*i*lo*=*tt***m*nt` (vi* p*** n*m*)

Reasoning

T** vuln*r**ility sp**i*i**lly r***r*n**s t** '**tion=**k*i*lo*&*i*lo*=*tt***m*nt' *n*point. T*is *n*point **n*l*s *tt***m*nt m*n***m*nt in t** **K**itor *ompon*nt. T** XSS o**urs ****us* us*r-*ontroll** input (p*** n*m*) is *ir**tly *m****** into *T