Dokuwiki

Dokuwiki

27 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2017-12979

Exploit
  • EPSS 0.54%
  • Veröffentlicht 21.08.2017 07:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger JavaScript execution.

6.1

CVE-2017-12583

Exploit
  • EPSS 1.33%
  • Veröffentlicht 06.08.2017 03:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.

6.5

CVE-2016-7965

Exploit
  • EPSS 0.29%
  • Veröffentlicht 31.10.2016 10:59:01
  • Zuletzt bearbeitet 12.04.2025 10:46:40

DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) T...

8.6

CVE-2016-7964

  • EPSS 0.3%
  • Veröffentlicht 31.10.2016 10:59:00
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. This allows users to scan ports of internal networks via...

6.5

CVE-2015-2172

  • EPSS 1.76%
  • Veröffentlicht 30.03.2015 14:59:07
  • Zuletzt bearbeitet 12.04.2025 10:46:40

DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API.

4.3

CVE-2014-9253

  • EPSS 0.59%
  • Veröffentlicht 17.12.2014 18:59:02
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file, then accessing it via the media parameter to...

5

CVE-2014-8764

  • EPSS 1.22%
  • Veröffentlicht 22.10.2014 14:55:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.

5

CVE-2014-8763

  • EPSS 1.05%
  • Veröffentlicht 22.10.2014 14:55:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.

5

CVE-2014-8762

  • EPSS 0.6%
  • Veröffentlicht 22.10.2014 14:55:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter.

5

CVE-2014-8761

  • EPSS 0.52%
  • Veröffentlicht 22.10.2014 14:55:08
  • Zuletzt bearbeitet 12.04.2025 10:46:40

inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.