Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Dokuwiki
(Dokuwiki)Repositories | https://github.com/splitbrain/dokuwiki |
#Vulnerabilities | 23 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2018-09-07 | CVE-2018-15474 | CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki. | Dokuwiki | 9.6 | ||
2009-06-08 | CVE-2009-1960 | inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs. | Dokuwiki | N/A | ||
2022-05-12 | CVE-2022-28919 | HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename. | Dokuwiki, Fedora | 6.1 | ||
2022-09-05 | CVE-2022-3123 | Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a. | Dokuwiki, Fedora | 6.1 | ||
2023-06-05 | CVE-2023-34408 | DokuWiki before 2023-04-04a allows XSS via RSS titles. | Dokuwiki | 5.4 | ||
2010-02-15 | CVE-2010-0289 | Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown vectors. | Dokuwiki | N/A | ||
2010-02-15 | CVE-2010-0288 | A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010. | Dokuwiki | N/A | ||
2010-02-15 | CVE-2010-0287 | Directory traversal vulnerability in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to list the contents of arbitrary directories via a .. (dot dot) in the ns parameter. | Dokuwiki | N/A | ||
2018-02-03 | CVE-2017-18123 | The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs. | Debian_linux, Dokuwiki | 8.6 | ||
2017-08-21 | CVE-2017-12980 | DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as demonstrated by the dc:creator element. | Dokuwiki | 6.1 |