Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-1960Code Injection in Dokuwiki

CWE-94Code Injection6 documents5 sources
Severity
9.3CRITICALNVD
EPSS
39.0%
top 2.72%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
DokuwikiDebian Dokuwiki
Timeline
PublishedJun 8
Latest updateMay 2

Description

inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the config_cascade[main][default][] parameter to doku.php. NOTE: PHP remote file inclusion is also possible in PHP 5 using ftp:// URLs.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages3 packages

debiandebian/dokuwiki< dokuwiki 0.0.20090214b-1 (bookworm)
Debiandokuwiki/dokuwiki< 0.0.20090214b-1+3
NVDdokuwiki/dokuwiki2009-02-14, rc2009-01-30, rc2009-02-06+2

Patches

Patch: bugs.splitbrain.orgPatch: bugs.splitbrain.org

🔴Vulnerability Details

2
GHSA
GHSA-hm24-p578-9g92: inc/init2022-05-02
OSV
CVE-2009-1960: inc/init2009-06-08

💥Exploits & PoCs

2
Exploit-DB
Dokuwiki 2009-02-14 - Local File Inclusion2009-05-26
Exploit-DB
Dokuwiki 2009-02-14 - Temporary/Remote File Inclusion2009-05-26

📋Vendor Advisories

1
Debian
CVE-2009-1960: dokuwiki - inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when regist...2009