Product:

Dokuwiki

(Dokuwiki)
Repositories https://github.com/splitbrain/dokuwiki
#Vulnerabilities 23
Date Id Summary Products Score Patch Annotated
2018-09-07 CVE-2018-15474 CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki. Dokuwiki 9.6
2009-06-08 CVE-2009-1960 inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs. Dokuwiki N/A
2022-05-12 CVE-2022-28919 HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename. Dokuwiki, Fedora 6.1
2022-09-05 CVE-2022-3123 Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a. Dokuwiki, Fedora 6.1
2023-06-05 CVE-2023-34408 DokuWiki before 2023-04-04a allows XSS via RSS titles. Dokuwiki 5.4
2010-02-15 CVE-2010-0289 Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown vectors. Dokuwiki N/A
2010-02-15 CVE-2010-0288 A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010. Dokuwiki N/A
2010-02-15 CVE-2010-0287 Directory traversal vulnerability in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to list the contents of arbitrary directories via a .. (dot dot) in the ns parameter. Dokuwiki N/A
2018-02-03 CVE-2017-18123 The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs. Debian_linux, Dokuwiki 8.6
2017-08-21 CVE-2017-12980 DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. The JavaScript can be in an author field, as demonstrated by the dc:creator element. Dokuwiki 6.1