25 results (0.019 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

DokuWiki before 2023-04-04a allows XSS via RSS titles. DokuWiki antes de la fecha 04-04-2023 permite ataques de Cross-Site Scripting (XSS) a través de títulos RSS. • https://github.com/dokuwiki/dokuwiki/compare/release-2023-04-04...release-2023-04-04a https://github.com/dokuwiki/dokuwiki/pull/3967 https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0 https://www.github.com/splitbrain/dokuwiki/commit/53df38b0e4465894a67a5890f74a6f5f82e827de • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1

Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Reflejado en el repositorio GitHub splitbrain/dokuwiki versiones anteriores a 2022-07-31a • https://github.com/splitbrain/dokuwiki/commit/63e9a247c072008a031f9db39fa496f6aca489b6 https://huntr.dev/bounties/d72a979b-57db-4201-9500-66b49a5c1345 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LLNV7GYZPGLIKBLISVQUREQXE3WHI5R2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZQTVHRBEVMSKQESNFLU7MAUAB3R3PG2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XIWZXLDU7SUS2FANXQRCHJY3F3SWT27E • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.6EPSS: 2%CPEs: 1EXPL: 3

CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki. ** EN DISPUTA ** Inyección CSV (también conocida como Excel Macro Injection o Formula Injection) en /lib/plugins/usermanager/admin.php en DokuWiki 2018-04-22a y anteriores permite que atacantes remotos exfiltren datos sensibles y ejecuten código arbitrario mediante un valor que se gestiona de manera incorrecta en una exportación en CSV. NOTA: el fabricante ha indicado que "esto no es un problema de seguridad en DokuWiki". DokuWiki version 2018-04-22a Greebo suffers from a CSV formula injection vulnerability that allows for arbitrary code execution. • https://github.com/splitbrain/dokuwiki/issues/2450 https://seclists.org/fulldisclosure/2018/Sep/4 https://www.patreon.com/posts/unfixed-security-21250652 https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •

CVSS: 9.3EPSS: 1%CPEs: 2EXPL: 2

The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs. El parámetro call de /lib/exe/ajax.php en DokuWiki hasta 2017-02-19e no cifra correctamente las entradas de usuario, lo que conduce a una vulnerabilidad de descarga de archivos reflejada y permite que atacantes remotos ejecuten programas arbitrarios. • https://github.com/splitbrain/dokuwiki/commit/238b8e878ad48f370903465192b57c2072f65d86 https://github.com/splitbrain/dokuwiki/issues/2029 https://github.com/splitbrain/dokuwiki/pull/2019 https://hackerone.com/reports/238316 https://lists.debian.org/debian-lts-announce/2018/02/msg00004.html https://lists.debian.org/debian-lts-announce/2018/07/msg00004.html https://vulnhive.com/2018/000004 • CWE-20: Improper Input Validation •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

DokuWiki through 2017-02-19c has stored XSS when rendering a malicious language name in a code element, in /inc/parser/xhtml.php. An attacker can create or edit a wiki with this element to trigger JavaScript execution. DokuWiki en su versión 2017-02-19c tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) cuando presenta un nombre de lenguaje malicioso en un elemento del código en /inc/parser/xhtml.php. Un atacante puede crear o editar una wiki con este elemento para desencadenar la ejecución de JavaScript. • https://github.com/splitbrain/dokuwiki/issues/2080 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •