CVE-2014-9253 — Cross-site Scripting in Dokuwiki

CWE-79 — Cross-site Scripting8 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.6%

top 30.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dokuwiki Debian Dokuwiki Mageia

Timeline

PublishedDec 17

Latest updateMay 17

Description

The default file type whitelist configuration in conf/mime.conf in the Media Manager in DokuWiki before 2014-09-29b allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file, then accessing it via the media parameter to lib/exe/fetch.php.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶debiandebian/dokuwiki< dokuwiki 0.0.20140929.d-1 (bookworm)

▶Debiandokuwiki/dokuwiki< 0.0.20140929.d-1+3

▶NVDdokuwiki/dokuwiki2014-05-05c

▶NVDmageia/mageia4.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-g587-72hj-w684: The default file type whitelist configuration in conf/mime↗2022-05-17

▶

OSV

CVE-2014-9253: The default file type whitelist configuration in conf/mime↗2014-12-17

▶

📋Vendor Advisories

Debian

CVE-2014-9253: dokuwiki - The default file type whitelist configuration in conf/mime.conf in the Media Man...↗2014

▶

💬Community

Bugzilla

CVE-2014-9253 dokuwiki: XSS via SFW file upload↗2014-12-15

▶

Bugzilla

CVE-2014-9253 dokuwiki: XSS via SFW file upload [fedora-all]↗2014-12-15

▶

Bugzilla

CVE-2014-9253 dokuwiki: XSS via SFW file upload [epel-6]↗2014-12-15

▶

Bugzilla

CVE-2014-9253 dokuwiki: XSS via SFW file upload [epel-5]↗2014-12-15

▶