CVE-2017-5934
Description
Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in MoinMoin's GUI editor link dialog before 1.9.10 lets remote attackers inject arbitrary script via unspecified vectors.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the link dialogue of the GUI editor in MoinMoin versions before 1.9.10 [1]. The flaw is triggered by unspecified vectors that allow an attacker to inject arbitrary web script or HTML [2]. This issue was fixed in version 1.9.10 [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious input in the link dialogue of the GUI editor. No specific authentication or network position details are disclosed in the available references, but the attack vector is network-based and requires the victim to interact with the malicious link [3].
Impact
Successful exploitation allows remote attackers to inject arbitrary web script or HTML in the context of the victim's browser session [2]. This can lead to disclosure of sensitive information, session hijacking, or other client-side attacks [4].
Mitigation
MoinMoin versions 1.9.10 and later contain the fix for CVE-2017-5934 [1]. Users should upgrade to version 1.9.10 or higher. Ubuntu users can apply the update via USN-3794-1 [4]. No workaround is documented in the references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moinPyPI | < 1.9.10 | 1.9.10 |
Affected products
1Patches
170955a8eae09security fix for CVE-2017-5934, XSS in GUI editor related code
2 files changed · +3 −1
docs/CHANGES+1 −0 modified@@ -23,6 +23,7 @@ Version 1.9.10 aka "the end of spam release" (not released yet) should be aware of beforehands. Fixes: + * security fix for CVE-2017-5934, XSS in GUI editor related code * fix wrong digestmod of hmac.new calls (incorporate 1.9.9 patch) * fix broken table attribute processing (wikiutil.escape) * fix AttributeError in multifile action
MoinMoin/action/fckdialog.py+2 −1 modified@@ -203,6 +203,7 @@ def page_list(request): def link_dialog(request): # list of wiki pages name = request.values.get("pagename", "") + name_escaped = wikiutil.escape(name) if name: from MoinMoin import search # XXX error handling! @@ -299,7 +300,7 @@ def link_dialog(request): <tr> <td> <span fckLang="PageDlgName">Page Name</span><br> - <input id="txtPagename" name="pagename" size="30" value="%(name)s"> + <input id="txtPagename" name="pagename" size="30" value="%(name_escaped)s"> </td> <td valign="bottom"> <input id=btnSearchpage type="submit" value="Search">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.opensuse.org/opensuse-security-announce/2018-10/msg00024.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-42fp-4hm3-j8r7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-5934ghsaADVISORY
- usn.ubuntu.com/3794-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2018/dsa-4318ghsavendor-advisoryx_refsource_DEBIANWEB
- moinmo.in/SecurityFixesghsax_refsource_CONFIRMWEB
- github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/moin/PYSEC-2018-47.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2018/10/msg00007.htmlghsamailing-listx_refsource_MLISTWEB
- usn.ubuntu.com/3794-1ghsaWEB
News mentions
0No linked articles in our index yet.