FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
a04247f1-8d9c-11e1-93c7-00215c6a37bbDokuwiki -- cross site scripting vulnerability

Andy Webber reports:

Add User appears to be vulnerable to Cross Site Request Forgery (CSRF/XSRF).


Discovery 2012-04-17
Entry 2012-04-23
dokuwiki
< 20120125_1

CVE-2012-2128
CVE-2012-2129
0b535cd0-9b90-11e0-800a-00215c6a37bbDokuwiki -- cross site scripting vulnerability

Dokuwiki reports:

We just released a Hotfix Release "2011-05-25a Rincewind". It contains the following changes:

Security fix for a Cross Site Scripting vulnerability. Malicious users could abuse DokuWiki's RSS embedding mechanism to create links containing arbitrary JavaScript. Note: this security problem is present in at least Anteater and Rincewind but probably in older releases as well.


Discovery 2011-06-14
Entry 2011-06-20
dokuwiki
< 20110525a

http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind
7580f00e-280c-11e0-b7c8-00215c6a37bbdokuwiki -- multiple privilege escalation vulnerabilities

Dokuwiki reports:

This security update fixes problems in the XMLRPC interface where ACLs where not checked correctly sometimes, making it possible to access and write information that should not have been accessible/writable. This only affects users who have enabled the XMLRPC interface (default is off) and have enabled XMLRPC access for users who can't access/write all content anyway (default is nobody, see http://www.dokuwiki.org/config:xmlrpcuser for details).

This update also includes a fix for a problem in the general ACL checking function that could be exploited to gain access to restricted pages and media files in rare conditions (when you had rights for an id you could get the same rights on ids where one character has been replaced by a ".").


Discovery 2011-01-16
Entry 2011-01-24
dokuwiki
< 20101107a

http://bugs.dokuwiki.org/index.php?do=details&task_id=2136
4f838b74-50a1-11de-b01f-001c2514716cdokuwiki -- Local File Inclusion with register_globals on

DokuWiki reports:

A security hole was discovered which allows an attacker to include arbitrary files located on the attacked DokuWiki installation. The included file is executed in the PHP context. This can be escalated by introducing malicious code through uploading file via the media manager or placing PHP code in editable pages.


Discovery 2009-05-26
Entry 2009-06-04
Modified 2010-05-02
dokuwiki
< 20090214_2

dokuwiki-devel
gt 0

CVE-2009-1960
http://bugs.splitbrain.org/index.php?do=details&task_id=1700
cddde37a-39b5-11dc-b3da-001921ab2fa4dokuwiki -- XSS vulnerability in spellchecker backend

DokuWiki reports:

The spellchecker tests the UTF-8 capabilities of the used browser by sending an UTF-8 string to the backend, which will send it back unfiltered. By comparing string length the spellchecker can work around broken implementations. An attacker could construct a form to let users send JavaScript to the spellchecker backend, resulting in malicious JavaScript being executed in their browser.

Affected are all versions up to and including 2007-06-26 even when the spell checker is disabled.


Discovery 2007-06-26
Entry 2007-07-24
dokuwiki
< 20070626_1

dokuwiki-devel
< 20070524_1

http://xforce.iss.net/xforce/xfdb/35501
CVE-2007-3930
fcba5764-506a-11db-a5ae-00508d6a62dfdokuwiki -- multiple vulnerabilities

Secunia reports:

rgod has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to the "TARGET_FN" parameter in bin/dwpage.php is not properly sanitised before being used to copy files. This can be exploited via directory traversal attacks in combination with DokuWiki's file upload feature to execute arbitrary PHP code.

CVE Mitre reports:

Direct static code injection vulnerability in doku.php in DokuWiki before 2006-03-09c allows remote attackers to execute arbitrary PHP code via the X-FORWARDED-FOR HTTP header, which is stored in config.php.

Unrestricted file upload vulnerability in lib/exe/media.php in DokuWiki before 2006-03-09c allows remote attackers to upload executable files into the data/media folder via unspecified vectors.

DokuWiki before 2006-03-09c enables the debug feature by default, which allows remote attackers to obtain sensitive information by calling doku.php with the X-DOKUWIKI-DO HTTP header set to "debug".


Discovery 2006-09-08
Entry 2006-09-30
Modified 2006-10-02
dokuwiki
< 20060309c

dokuwiki-devel
< 20060909

19911
CVE-2006-4674
CVE-2006-4675
CVE-2006-4679
http://secunia.com/advisories/21819/
http://bugs.splitbrain.org/index.php?do=details&id=906
450b76ee-5068-11db-a5ae-00508d6a62dfdokuwiki -- multiple vulnerabilities

Secunia reports:

Some vulnerabilities have been reported in DokuWiki, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

Input passed to the "w" and "h" parameters in lib/exec/fetch.php is not properly sanitised before being passed as resize parameters to the "convert" application. This can be exploited to cause a DoS due to excessive CPU and memory consumption by passing very large numbers, or to inject arbitrary shell commands by passing specially crafted strings to the "w" and "h" parameter.

Successful exploitation requires that the "$conf[imconvert]" option is set.


Discovery 2006-09-26
Entry 2006-09-30
Modified 2006-10-02
dokuwiki
< 20060309_5

dokuwiki-devel
< 20060609_2

CVE-2006-5098
CVE-2006-5099
http://secunia.com/advisories/22192/
http://secunia.com/advisories/22199/
http://bugs.splitbrain.org/?do=details&id=924
http://bugs.splitbrain.org/?do=details&id=926
848539dc-0458-11df-8dd7-002170daae37dokuwiki -- multiple vulnerabilities

Dokuwiki reports:

The plugin does no checks against cross-site request forgeries (CSRF) which can be exploited to e.g. change the access control rules by tricking a logged in administrator into visiting a malicious web site.

The bug allows listing the names of arbitrary file on the webserver - not their contents. This could leak private information about wiki pages and server structure.


Discovery 2010-01-17
Entry 2010-01-18
Modified 2010-05-02
dokuwiki
< 20091225_2

CVE-2010-0288
CVE-2010-0287
CVE-2010-0289
http://bugs.splitbrain.org/index.php?do=details&task_id=1847
http://bugs.splitbrain.org/index.php?do=details&task_id=1853
2fe4b57f-d110-11e1-ac76-10bf48230856Dokuwiki -- cross site scripting vulnerability

Secunia Research reports:

Secunia Research has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "ns" POST parameter in lib/exe/ajax.php (when "call" is set to "medialist" and "do" is set to "media") is not properly sanitised within the "tpl_mediaFileList()" function in inc/template.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Discovery 2012-07-13
Entry 2012-07-18
dokuwiki
< 20120125_2

http://secunia.com/advisories/49196/
CVE-2012-0283