CVE-2017-18123 — Improper Input Validation in Dokuwiki

CWE-20 — Improper Input Validation7 documents5 sources

Severity

8.6HIGHNVD

EPSS

0.5%

top 33.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dokuwiki Debian Dokuwiki Debian Linux

Timeline

PublishedFeb 3

Latest updateMay 14

Description

The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages3 packages

▶debiandebian/dokuwiki< dokuwiki 0.0.20160626.a-2.1 (bookworm)

▶Debiandokuwiki/dokuwiki< 0.0.20160626.a-2.1+3

▶NVDdokuwiki/dokuwiki2017-02-19e

Also affects: Debian Linux 7.0

Patches

Patch: github.com ↗Patch: vulnhive.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-9v2g-x5vw-rfgc: The call parameter of /lib/exe/ajax↗2022-05-14

▶

OSV

CVE-2017-18123: The call parameter of /lib/exe/ajax↗2018-02-03

▶

📋Vendor Advisories

Debian

CVE-2017-18123: dokuwiki - The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not...↗2017

▶

💬Community

Bugzilla

CVE-2016-7964 CVE-2016-7965 CVE-2017-12583 CVE-2017-12979 CVE-2017-12980 CVE-2017-18123 dokuwiki: Various flaws↗2016-10-31

▶

Bugzilla

CVE-2016-7964 CVE-2016-7965 CVE-2017-12583 CVE-2017-12979 CVE-2017-12980 CVE-2017-18123 dokuwiki: Various flaws [epel-all]↗2016-10-31

▶

Bugzilla

CVE-2016-7964 CVE-2016-7965 CVE-2017-12583 CVE-2017-12979 CVE-2017-12980 CVE-2017-18123 dokuwiki: Various flaws [fedora-all]↗2016-10-31

▶