CVE-2016-9119 Canonical CVE debrief

Who should care

Administrators and developers running MoinMoin instances, especially deployments that expose the GUI editor to untrusted or semi-trusted users. It also matters to operators of affected downstream packages listed in NVD, including Debian and Ubuntu builds that ship vulnerable MoinMoin versions.

Technical summary

NVD classifies the issue as CWE-79 (XSS) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is described as residing in the link dialogue within the GUI editor, affecting MoinMoin versions before 1.9.8. An attacker who can induce a victim to interact with the affected editor flow may be able to inject script or HTML into the rendered page context.

Defensive priority

Medium. Patch promptly if you run MoinMoin, but the issue is not rated critical and requires user interaction. Prioritize environments where users can create or edit wiki content through the GUI editor.

Recommended defensive actions

• Upgrade MoinMoin to 1.9.8 or later.
• Review whether the GUI editor link dialogue is exposed to untrusted users and restrict access where practical.
• Verify downstream distro packages include the vendor fix if you rely on Debian or Ubuntu packaging.
• Recheck pages and templates for unexpected HTML or script injection after remediation.
• Apply standard XSS defenses in any custom extensions or integrations around the editor.

Evidence notes

The supplied NVD record states the vulnerability affects MoinMoin before 1.9.8 and maps it to CWE-79. The CVSS vector shows network reachability, low attack complexity, no privileges required, and user interaction required, with confidentiality and integrity impact at low levels. References in the record point to MoinMoin's SecurityFixes page and third-party advisories from Debian, Ubuntu, and SecurityFocus. No KEV entry is present in the supplied enrichment data.

Official resources