Vulnerabilities > Dokuwiki

DATE CVE VULNERABILITY TITLE RISK
2018-09-07 CVE-2018-15474 Improper Neutralization of Formula Elements in a CSV File vulnerability in Dokuwiki
** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export.
network
dokuwiki CWE-1236
6.8
2018-02-03 CVE-2017-18123 Improper Input Validation vulnerability in multiple products
The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs.
network
dokuwiki debian CWE-20
critical
9.3
2017-08-21 CVE-2017-12980 Cross-site Scripting vulnerability in Dokuwiki
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php.
network
dokuwiki CWE-79
4.3
2017-08-21 CVE-2017-12979 Cross-site Scripting vulnerability in Dokuwiki
DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php.
network
dokuwiki CWE-79
4.3
2017-08-06 CVE-2017-12583 Cross-site Scripting vulnerability in Dokuwiki
DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php.
network
dokuwiki CWE-79
4.3
2016-10-31 CVE-2016-7965 Improper Input Validation vulnerability in Dokuwiki
DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL.
network
dokuwiki CWE-20
4.3
2016-10-31 CVE-2016-7964 Server-Side Request Forgery (SSRF) vulnerability in Dokuwiki 20160626A
The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks.
network
dokuwiki CWE-918
4.3
2015-03-30 CVE-2015-2172 Improper Access Control vulnerability in Dokuwiki
DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API.
network
low complexity
dokuwiki CWE-284
6.5
2014-12-17 CVE-2014-9253 Cross-Site Scripting vulnerability in multiple products
The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file, then accessing it via the media parameter to lib/exe/fetch.php.
4.3
2014-10-22 CVE-2014-8764 Improper Authentication vulnerability in multiple products
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.
network
low complexity
mageia-project dokuwiki CWE-287
5.0