VuXML ID | Description |
7580f00e-280c-11e0-b7c8-00215c6a37bb | dokuwiki -- multiple privilege escalation vulnerabilities
Dokuwiki reports:
This security update fixes problems in the XMLRPC
interface where ACLs where not checked correctly
sometimes, making it possible to access and write
information that should not have been accessible/writable.
This only affects users who have enabled the XMLRPC
interface (default is off) and have enabled XMLRPC
access for users who can't access/write all content
anyway (default is nobody, see http://www.dokuwiki.org/config:xmlrpcuser
for details).
This update also includes a fix for a problem in
the general ACL checking function that could be exploited
to gain access to restricted pages and media files in rare
conditions (when you had rights for an id you could get
the same rights on ids where one character has been
replaced by a ".").
Discovery 2011-01-16 Entry 2011-01-24 dokuwiki
< 20101107a
http://bugs.dokuwiki.org/index.php?do=details&task_id=2136
|
2fe4b57f-d110-11e1-ac76-10bf48230856 | Dokuwiki -- cross site scripting vulnerability
Secunia Research reports:
Secunia Research has discovered a vulnerability in DokuWiki, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Input passed to the "ns" POST parameter in lib/exe/ajax.php (when "call"
is set to "medialist" and "do" is set to "media") is not properly
sanitised within the "tpl_mediaFileList()" function in inc/template.php
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.
Discovery 2012-07-13 Entry 2012-07-18 dokuwiki
< 20120125_2
http://secunia.com/advisories/49196/
CVE-2012-0283
|
a04247f1-8d9c-11e1-93c7-00215c6a37bb | Dokuwiki -- cross site scripting vulnerability
Andy Webber reports:
Add User appears to be vulnerable to Cross Site Request Forgery (CSRF/XSRF).
Discovery 2012-04-17 Entry 2012-04-23 dokuwiki
< 20120125_1
CVE-2012-2128
CVE-2012-2129
|
848539dc-0458-11df-8dd7-002170daae37 | dokuwiki -- multiple vulnerabilities
Dokuwiki reports:
The plugin does no checks against cross-site request
forgeries (CSRF) which can be exploited to e.g. change
the access control rules by tricking a logged in
administrator into visiting a malicious web site.
The bug allows listing the names of arbitrary file on
the webserver - not their contents. This could leak
private information about wiki pages and server structure.
Discovery 2010-01-17 Entry 2010-01-18 Modified 2010-05-02 dokuwiki
< 20091225_2
CVE-2010-0288
CVE-2010-0287
CVE-2010-0289
http://bugs.splitbrain.org/index.php?do=details&task_id=1847
http://bugs.splitbrain.org/index.php?do=details&task_id=1853
|
0b535cd0-9b90-11e0-800a-00215c6a37bb | Dokuwiki -- cross site scripting vulnerability
Dokuwiki reports:
We just released a Hotfix Release "2011-05-25a Rincewind".
It contains the following changes:
Security fix for a Cross Site Scripting vulnerability.
Malicious users could abuse DokuWiki's RSS embedding mechanism
to create links containing arbitrary JavaScript. Note: this
security problem is present in at least Anteater and Rincewind
but probably in older releases as well.
Discovery 2011-06-14 Entry 2011-06-20 dokuwiki
< 20110525a
http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind
|