Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users to inject arbitrary web script or HTML by creating a page with a crafted URI.

MoinMoin 1.7.1 allows remote attackers to bypass the textcha protection mechanism by modifying the textcha-question and textcha-answer fields to have empty values.