CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2016-9646 – Commit metadata forgery via CGI::FormBuilder context-dependent APIs
https://notcve.org/view.php?id=CVE-2016-9646
ikiwiki before 3.20161229 incorrectly called the CGI::FormBuilder->field method (similar to the CGI->param API that led to Bugzilla's CVE-2014-1572), which can be abused to lead to commit metadata forgery. ikiwiki, en versiones anteriores a la 3.20161229, llamó incorrectamente al método CGI::FormBuilder->field (similar a la API CGI->param que desembocó en el CVE-2014-1572 de Bugzilla), que puede aprovecharse para falsificar metadatos del commit. • https://ikiwiki.info/security/#cve-2016-9646 https://marc.info/?l=oss-security&m=148304341511854&w=2 https://security-tracker.debian.org/tracker/CVE-2016-9646 https://www.debian.org/security/2017/dsa-3760 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 1CVE-2017-0356 – Authentication bypass via repeated parameters
https://notcve.org/view.php?id=CVE-2017-0356
A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.20170111, in the passwordauth plugin's use of CGI::FormBuilder, allowing an attacker to bypass authentication via repeated parameters. Existe un error similar a CVE-2016-9646 en ikiwiki, en versiones anteriores a la 3.20170111, en el uso del plugin passwordauth de CGI::FormBuilder. Esto permite que un atacante omita la autenticación mediante parámetros repetidos. • http://www.securityfocus.com/bid/95420 https://ikiwiki.info/security/#cve-2017-0356 https://marc.info/?l=oss-security&m=148418234314276&w=2 https://www.debian.org/security/2017/dsa-3760 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-4561
https://notcve.org/view.php?id=CVE-2016-4561
Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message. Vulnerabilidad de XSS en la función cgierror en CGI.pm en ikiwiki en versiones anteriores a 3.20160506 podría permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados que implican un mensaje de error. • http://ikiwiki.info/security/#index43h2 http://source.ikiwiki.branchable.com/?p=source.git%3Ba=commitdiff%3Bh=32ef584dc5abb6ddb9f794f94ea0b2934967bba7 http://www.debian.org/security/2016/dsa-3571 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 178EXPL: 0CVE-2012-0220
https://notcve.org/view.php?id=CVE-2012-0220
Multiple cross-site scripting (XSS) vulnerabilities in the meta plugin (Plugin/meta.pm) in ikiwiki before 3.20120516 allow remote attackers to inject arbitrary web script or HTML via the (1) author or (2) authorurl meta tags. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en el plugin en Plugin/meta.pm en ikiwiki anterior a v3.20120516 , permite a atacantes remotos inyectar secuencias de comandos web o HTML a través (1) del parámetro author o (2) de la meta etiqueta authorurl. • http://ikiwiki.info/news/version_3.20120516 http://osvdb.org/81995 http://secunia.com/advisories/49199 http://secunia.com/advisories/49232 http://source.ikiwiki.branchable.com/?p=source.git%3Ba=commitdiff%3Bh=fbfcea89f8e06426c73ab8ea369ca4cdc566db6f http://www.debian.org/security/2012/dsa-2474 http://www.securityfocus.com/bid/53599 https://exchange.xforce.ibmcloud.com/vulnerabilities/75702 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 174EXPL: 0CVE-2011-1401
https://notcve.org/view.php?id=CVE-2011-1401
ikiwiki before 3.20110328 does not ascertain whether the htmlscrubber plugin is enabled during processing of the "meta stylesheet" directive, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences in (1) the default stylesheet or (2) an alternate stylesheet. ikiwiki anterior a v3.20110328 no establece si el plugin htmlscrubber está habilitado durante el proceso de la directiva "meta stylesheet", lo que permite a usuarios autenticados de forma remota conducir un ataque de vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) a través de hojas de estilo en cascada (CSS) manipuladas en (1) la hoja de estilo por defecto o (2) en una hoja de estilo alternativa. • http://ikiwiki.info/security/#index39h2 http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058403.html http://secunia.com/advisories/44079 http://secunia.com/advisories/44137 http://www.debian.org/security/2011/dsa-2214 http://www.securityfocus.com/bid/47285 http://www.vupen.com/english/advisories/2011/0907 http://www.vupen.com/english/advisories/2011/1005 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •