9.3
CVE-2017-18123
- EPSS 2.65%
- Veröffentlicht 03.02.2018 15:29:00
- Zuletzt bearbeitet 21.11.2024 03:19:23
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Debian ≫ Debian Linux Version7.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.65% | 0.836 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.6 | 1.8 | 6 |
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
|
| nvd@nist.gov | 9.3 | 8.6 | 10 |
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
https://github.com/splitbrain/dokuwiki/commit/238b8e878ad48f370903465192b57c2072f65d86
https://github.com/splitbrain/dokuwiki/issues/2029
https://github.com/splitbrain/dokuwiki/pull/2019
https://hackerone.com/reports/238316
https://lists.debian.org/debian-lts-announce/2018/02/msg00004.html
https://lists.debian.org/debian-lts-announce/2018/07/msg00004.html
https://vulnhive.com/2018/000004