CVE-2008-1937 - Vulnerability Details - OpenCVE

The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moinmoin	Moinmoin

Configuration 1 [-]

OR	cpe:2.3:a:moinmoin:moinmoin:1.6.0:::::::*
	cpe:2.3:a:moinmoin:moinmoin:1.6.1:::::::*
	cpe:2.3:a:moinmoin:moinmoin:1.6.2:::::::*

No data.

References

Link	Providers
http://hg.moinmo.in/moin/1.6/rev/f405012e67af
http://moinmo.in/SecurityFixes
http://secunia.com/advisories/29894
http://secunia.com/advisories/30160
http://security.gentoo.org/glsa/glsa-200805-09.xml
http://www.securityfocus.com/bid/28869
http://www.vupen.com/english/advisories/2008/1307/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41909
https://nvd.nist.gov/vuln/detail/CVE-2008-1937
https://www.cve.org/CVERecord?id=CVE-2008-1937

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-04-24T18:00:00

Updated: 2024-08-07T08:41:00.189Z

Reserved: 2008-04-24T00:00:00

Link: CVE-2008-1937

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2008-04-25T06:05:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2008-1937

Redhat

Severity : Important

Publid Date: 2008-04-20T00:00:00Z

Links: CVE-2008-1937 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-04-21T00:00:00", "descriptions": [{"lang": "en", "value": "The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-07T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://moinmo.in/SecurityFixes"}, {"name": "GLSA-200805-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200805-09.xml"}, {"name": "moinmoin-userform-security-bypass(41909)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41909"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://hg.moinmo.in/moin/1.6/rev/f405012e67af"}, {"name": "ADV-2008-1307", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/1307/references"}, {"name": "30160", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/30160"}, {"name": "28869", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/28869"}, {"name": "29894", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/29894"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-1937", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://moinmo.in/SecurityFixes", "refsource": "CONFIRM", "url": "http://moinmo.in/SecurityFixes"}, {"name": "GLSA-200805-09", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200805-09.xml"}, {"name": "moinmoin-userform-security-bypass(41909)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41909"}, {"name": "http://hg.moinmo.in/moin/1.6/rev/f405012e67af", "refsource": "CONFIRM", "url": "http://hg.moinmo.in/moin/1.6/rev/f405012e67af"}, {"name": "ADV-2008-1307", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/1307/references"}, {"name": "30160", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/30160"}, {"name": "28869", "refsource": "BID", "url": "http://www.securityfocus.com/bid/28869"}, {"name": "29894", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/29894"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T08:41:00.189Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://moinmo.in/SecurityFixes"}, {"name": "GLSA-200805-09", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-200805-09.xml"}, {"name": "moinmoin-userform-security-bypass(41909)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41909"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://hg.moinmo.in/moin/1.6/rev/f405012e67af"}, {"name": "ADV-2008-1307", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/1307/references"}, {"name": "30160", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/30160"}, {"name": "28869", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/28869"}, {"name": "29894", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/29894"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-1937", "datePublished": "2008-04-24T18:00:00", "dateReserved": "2008-04-24T00:00:00", "dateUpdated": "2024-08-07T08:41:00.189Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moinmoin:moinmoin:1.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "03FBCD1B-2D05-4C17-B41C-CF8DA75BB05D", "vulnerable": true}, {"criteria": "cpe:2.3:a:moinmoin:moinmoin:1.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "51DF4CAC-EDD8-4C71-BC77-0F516692B5FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:moinmoin:moinmoin:1.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "DB1CAAA6-8D33-4901-88E2-120AB7B4CD53", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges."}, {"lang": "es", "value": "El procesamiento del formulario \"user\" (userform.py) en MoinMoin anterior a 1.6.3, cuando emplea ACLs o una lista de superusuarios que no est\u00e1 vac\u00eda, no gestiona correctamente los usuarios lo que permite a atacantes remotos obtener privilegios."}], "id": "CVE-2008-1937", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2008-04-25T06:05:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://hg.moinmo.in/moin/1.6/rev/f405012e67af"}, {"source": "cve@mitre.org", "url": "http://moinmo.in/SecurityFixes"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29894"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/30160"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200805-09.xml"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/28869"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/1307/references"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41909"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://hg.moinmo.in/moin/1.6/rev/f405012e67af"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://moinmo.in/SecurityFixes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/29894"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/30160"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://security.gentoo.org/glsa/glsa-200805-09.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/28869"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2008/1307/references"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41909"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}