CVSS: 7.5EPSS: 1%CPEs: 29EXPL: 2CVE-2010-0288 – dokuwiki 2009-12-25 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-0288
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010. Una errata en el check del permiso de administrador del plugin ACL Manager (plugins/acl/ajax.php) de DokuWiki en versiones anteriores a la v2009-12-25b permite a atacantes remotos obtener privlegios y acceder a wikis cerrados editando las restricciones de ACL actuales, como se ha demostrado en Enero del 2010. • https://www.exploit-db.com/exploits/11141 http://bugs.splitbrain.org/index.php?do=details&task_id=1847 http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034729.html http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034831.html http://osvdb.org/61710 http://secunia.com/advisories/38183 http://security.gentoo.org/glsa/glsa-201301-07.xml http://www.debian.org/security/2010/dsa-1976 http://www.exploit-db.com/exploits/11141 http://www.s • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 29EXPL: 0CVE-2010-0289
https://notcve.org/view.php?id=CVE-2010-0289
Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el plugin ACL Manager (plugins/acl/ajax.php) de DokuWiki en versiones anteriores a la v2009-12-25c. Permiten a atacantes remotos secuestrar la autenticación de los administradores para peticiones que modifican el acceso a las reglas de control de acceso, y otras peticiones sin especificar, a través de vectores de ataque desconocidos. • http://bugs.splitbrain.org/index.php?do=details&task_id=1853 http://freshmeat.net/projects/dokuwiki/tags/security-fix http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034729.html http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034831.html http://osvdb.org/61708 http://secunia.com/advisories/38205 http://security.gentoo.org/glsa/glsa-201301-07.xml http://www.debian.org/security/2010/dsa-1976 http://www.splitbrain.org/blog/2010-01/17-dok • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.3EPSS: 23%CPEs: 3EXPL: 2CVE-2009-1960 – Dokuwiki 2009-02-14 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2009-1960
inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs. inc/init.php de DokuWiki 2009-02-14, rc2009-02-06 y rc2009-01-30, cuando register_globals está habilitado, permite a atacantes remotos incluir y ejecutar ficheros locales de su elección a través del parámetro config_cascade[main][default][] de doku.php. NOTA: también es posible una inclusión remota de fichero PHP en PHP v5 que utilice URLs ftp://. • https://www.exploit-db.com/exploits/8781 https://www.exploit-db.com/exploits/8812 http://bugs.splitbrain.org/index.php?do=details&task_id=1700 http://dev.splitbrain.org/darcsweb/darcsweb.cgi?r=dokuwiki%3Ba=commitdiff%3Bh=20090526145030-7ad00-c0483e021f47898c8597f3bfbdd26c637f891d86.gz http://secunia.com/advisories/35218 http://www.securityfocus.com/bid/35095 • CWE-94: Improper Control of Generation of Code ('Code Injection') •