Vulnerabilities > Dokuwiki > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-05 | CVE-2023-34408 | Cross-site Scripting vulnerability in Dokuwiki DokuWiki before 2023-04-04a allows XSS via RSS titles. | 5.4 |
| 2022-09-05 | CVE-2022-3123 | Cross-site Scripting vulnerability in multiple products Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a. | 6.1 |
| 2022-05-12 | CVE-2022-28919 | Cross-site Scripting vulnerability in multiple products HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename. | 6.1 |
| 2017-08-21 | CVE-2017-12980 | Cross-site Scripting vulnerability in Dokuwiki DokuWiki through 2017-02-19c has stored XSS when rendering a malicious RSS or Atom feed, in /inc/parser/xhtml.php. | 4.3 |
| 2017-08-21 | CVE-2017-12979 | Cross-site Scripting vulnerability in Dokuwiki DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. | 4.3 |
| 2017-08-06 | CVE-2017-12583 | Cross-site Scripting vulnerability in Dokuwiki DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php. | 4.3 |
| 2016-10-31 | CVE-2016-7965 | Improper Input Validation vulnerability in Dokuwiki DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. | 4.3 |
| 2016-10-31 | CVE-2016-7964 | Server-Side Request Forgery (SSRF) vulnerability in Dokuwiki 20160626A The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. | 4.3 |
| 2015-03-30 | CVE-2015-2172 | Improper Access Control vulnerability in Dokuwiki DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API. | 6.5 |
| 2014-12-17 | CVE-2014-9253 | Cross-Site Scripting vulnerability in multiple products The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file, then accessing it via the media parameter to lib/exe/fetch.php. | 4.3 |