CVE-2014-8764
https://notcve.org/view.php?id=CVE-2014-8764
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind. DokuWiki 2014-05-05a y anteriores, cuando utiliza Active Directory para la autenticación LDAP, permite a atacantes remotos evadir la autenticación a través de un nombre de usuario y una contraseña que empiece por un caracter nulo (\0), lo que provoca un bind anónimo. • http://advisories.mageia.org/MGASA-2014-0438.html http://secunia.com/advisories/61983 http://www.debian.org/security/2014/dsa-3059 http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication http://www.openwall.com/lists/oss-security/2014/10/13/3 http://www.openwall.com/lists/oss-security/2014/10/16/9 https://github.com/splitbrain/dokuwiki/pull/868 • CWE-287: Improper Authentication •
CVE-2014-8762
https://notcve.org/view.php?id=CVE-2014-8762
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter. La función ajax_mediadiff en DokuWiki anterior a 2014-05-05a permite a atacantes remotos acceder a imágenes arbitrarias a través de un espacio de nombre manipulado en el parámetro ns. • http://advisories.mageia.org/MGASA-2014-0438.html http://secunia.com/advisories/61983 http://www.debian.org/security/2014/dsa-3059 http://www.openwall.com/lists/oss-security/2014/10/13/3 http://www.openwall.com/lists/oss-security/2014/10/16/9 http://www.securityfocus.com/bid/70404 https://github.com/splitbrain/dokuwiki/issues/765 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-8763
https://notcve.org/view.php?id=CVE-2014-8763
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind. DokuWiki anterior a 2014-05-05b, cuando utiliza Active Directory para la autenticación LDAP, permite a atacantes remotos evadir la autenticación a través de una contraseña que empiece por un caracter nulo (\0) y un nombre de usuario válido, lo que provoca un bind no autenticado. • http://advisories.mageia.org/MGASA-2014-0438.html http://secunia.com/advisories/61983 http://www.debian.org/security/2014/dsa-3059 http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication http://www.openwall.com/lists/oss-security/2014/10/13/3 http://www.openwall.com/lists/oss-security/2014/10/16/9 https://github.com/splitbrain/dokuwiki/pull/868 • CWE-287: Improper Authentication •
CVE-2012-0283
https://notcve.org/view.php?id=CVE-2012-0283
Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList function in inc/template.php in DokuWiki before 2012-01-25b allows remote attackers to inject arbitrary web script or HTML via the ns parameter in a medialist action to lib/exe/ajax.php. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en la función tpl_mediaFileList en inc/template.php en DokuWiki anterior a 2012-01-25b, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro ns en una acción medialist para lib/exe/ajax.php. • http://bugs.dokuwiki.org/index.php?do=details&task_id=2561 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090755.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090899.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090938.html http://secunia.com/secunia_research/2012-24 http://security.gentoo.org/glsa/glsa-201301-07.xml http://www.securityfocus.com/bid/54439 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-3727
https://notcve.org/view.php?id=CVE-2011-3727
DokuWiki 2009-12-25c allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lib/tpl/index.php and certain other files. DokuWiki v2009-12-25c permite a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con lib/tpl/index.php y algunos otros archivos. • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/dokuwiki-2009-12-25c http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090755.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090899.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090938.html http://security.gentoo.org/glsa/glsa-201301-07.xml http://www.mandriva.com/security/a • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •