CVE-2020-15275

NameCVE-2020-15275
DescriptionMoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki 1.9.11 has the necessary fixes and also contains other important fixes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2446-1, DSA-4787-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
moin (PTS)jessie, jessie (lts)1.9.8-1+deb8u2vulnerable
stretch (security), stretch (lts), stretch1.9.9-1+deb9u2fixed
buster (security), buster, buster (lts)1.9.9-1+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
moinsourcejessie(unfixed)end-of-life
moinsourcestretch1.9.9-1+deb9u2DLA-2446-1
moinsourcebuster1.9.9-1+deb10u1DSA-4787-1
moinsource(unstable)(unfixed)

Notes

https://github.com/moinwiki/moin-1.9/security/advisories/GHSA-4q96-6xhq-ff43
https://github.com/moinwiki/moin-1.9/commit/64e16037a60646a4d834f0203c75481b9c3fa74c (1.9.11)

Search for package or bug name: Reporting problems