CVE-2017-18123
- EPSS 2.65%
- Veröffentlicht 03.02.2018 15:29:00
- Zuletzt bearbeitet 21.11.2024 03:19:23
The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs.
CVE-2017-12980
- EPSS 1.37%
- Veröffentlicht 21.08.2017 07:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. An attacker can create or edit a wiki that uses RSS or Atom data from an attacker-controlled server to trigger JavaScript execution. Th...
CVE-2017-12979
- EPSS 1.37%
- Veröffentlicht 21.08.2017 07:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger JavaScript execution.
CVE-2017-12583
- EPSS 3.25%
- Veröffentlicht 06.08.2017 03:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.
CVE-2016-7965
- EPSS 1.21%
- Veröffentlicht 31.10.2016 10:59:01
- Zuletzt bearbeitet 06.05.2026 22:30:45
DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) T...
CVE-2016-7964
- EPSS 1.81%
- Veröffentlicht 31.10.2016 10:59:00
- Zuletzt bearbeitet 06.05.2026 22:30:45
The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. This allows users to scan ports of internal networks via...
CVE-2015-2172
- EPSS 2.88%
- Veröffentlicht 30.03.2015 14:59:07
- Zuletzt bearbeitet 06.05.2026 22:30:45
DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API.
CVE-2014-9253
- EPSS 2.37%
- Veröffentlicht 17.12.2014 18:59:02
- Zuletzt bearbeitet 06.05.2026 22:30:45
The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file, then accessing it via the media parameter to...
- EPSS 1.66%
- Veröffentlicht 22.10.2014 14:55:08
- Zuletzt bearbeitet 06.05.2026 22:30:45
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.
- EPSS 2.52%
- Veröffentlicht 22.10.2014 14:55:08
- Zuletzt bearbeitet 06.05.2026 22:30:45
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.