[Secure-testing-team] Bug#889281: dokuwiki: CVE-2017-18123: reflected file download vulnerability
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 3 09:24:30 UTC 2018
Source: dokuwiki
Version: 0.0.20160626.a-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/splitbrain/dokuwiki/issues/2029
Control: found -1 0.0.20140505.a+dfsg-4
Hi,
the following vulnerability was published for dokuwiki.
CVE-2017-18123[0]:
| The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e
| does not properly encode user input, which leads to a reflected file
| download vulnerability, and allows remote attackers to run arbitrary
| programs.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-18123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18123
[1] https://github.com/splitbrain/dokuwiki/issues/2029
[2] https://github.com/splitbrain/dokuwiki/commit/238b8e878ad48f370903465192b57c2072f65d86
Regards,
Salvatore
More information about the Secure-testing-team
mailing list