ID 2FE4B57F-D110-11E1-AC76-10BF48230856 Type freebsd Reporter FreeBSD Modified 2012-07-13T00:00:00
Description
Secunia Research reports:
Secunia Research has discovered a vulnerability in DokuWiki, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Input passed to the "ns" POST parameter in lib/exe/ajax.php (when "call"
is set to "medialist" and "do" is set to "media") is not properly
sanitised within the "tpl_mediaFileList()" function in inc/template.php
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.
{"reporter": "FreeBSD", "published": "2012-07-13T00:00:00", "cvelist": ["CVE-2012-0283"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "20120125_2", "packageFilename": "UNKNOWN", "packageName": "dokuwiki", "arch": "noarch", "operator": "lt"}], "title": "Dokuwiki -- cross site scripting vulnerability", "objectVersion": "1.2", "type": "freebsd", "href": "https://vuxml.freebsd.org/freebsd/2fe4b57f-d110-11e1-ac76-10bf48230856.html", "bulletinFamily": "unix", "hashmap": [{"hash": "b866c37ea07c0fa368c981436097efb1", "key": "affectedPackage"}, {"hash": "4913a9178621eadcdf191db17915fbcb", "key": "bulletinFamily"}, {"hash": "1e34bc05965288c0b1096c8b099ab416", "key": "cvelist"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "25d4581dbf493d6644ee966a96bc8bf1", "key": "description"}, {"hash": "4d1b63ee3bf43022d449e451f7c370cd", "key": "href"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "2f047dd613ce2440cb8b7a7e96329f95", "key": "published"}, {"hash": "3780502d37239857d11b17eef8305b31", "key": "references"}, {"hash": "a3dc630729e463135f4e608954fa6e19", "key": "reporter"}, {"hash": "4507c3657b035039ffa97129d0efc963", "key": "title"}, {"hash": "1527e888767cdce15d200b870b39cfd0", "key": "type"}, {"hash": "cfcd208495d565ef66e7dff9f98764da", "key": "viewCount"}], "history": [], "enchantments": {"vulnersScore": 4.3}, "modified": "2012-07-13T00:00:00", "hash": "5884687b249b8d0e247a4b4eda1b25fbd8b314998af046f1e6d5e63448f4fcc8", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "viewCount": 0, "edition": 1, "description": "\nSecunia Research reports:\n\nSecunia Research has discovered a vulnerability in DokuWiki, which can\n\t be exploited by malicious people to conduct cross-site scripting\n\t attacks.\nInput passed to the \"ns\" POST parameter in lib/exe/ajax.php (when \"call\"\n\t is set to \"medialist\" and \"do\" is set to \"media\") is not properly\n\t sanitised within the \"tpl_mediaFileList()\" function in inc/template.php\n\t before being returned to the user. This can be exploited to execute\n\t arbitrary HTML and script code in a user's browser session in context\n\t of an affected site.\n\n", "references": ["http://secunia.com/advisories/49196/"], "id": "2FE4B57F-D110-11E1-AC76-10BF48230856", "lastseen": "2016-09-26T17:24:36"}
{"result": {"cve": [{"id": "CVE-2012-0283", "type": "cve", "title": "CVE-2012-0283", "description": "Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList function in inc/template.php in DokuWiki before 2012-01-25b allows remote attackers to inject arbitrary web script or HTML via the ns parameter in a medialist action to lib/exe/ajax.php.", "published": "2012-07-13T17:55:02", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0283", "cvelist": ["CVE-2012-0283"], "lastseen": "2016-09-03T16:08:49"}], "openvas": [{"id": "OPENVAS:71524", "type": "openvas", "title": "FreeBSD Ports: dokuwiki", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2012-08-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=71524", "cvelist": ["CVE-2012-0283"], "lastseen": "2017-07-02T21:10:58"}, {"id": "OPENVAS:136141256231071524", "type": "openvas", "title": "FreeBSD Ports: dokuwiki", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2012-08-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071524", "cvelist": ["CVE-2012-0283"], "lastseen": "2018-04-06T11:20:53"}, {"id": "OPENVAS:1361412562310864829", "type": "openvas", "title": "Fedora Update for dokuwiki FEDORA-2012-16614", "description": "Check for the Version of dokuwiki", "published": "2012-11-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864829", "cvelist": ["CVE-2012-0283", "CVE-2012-3354", "CVE-2011-3727"], "lastseen": "2018-04-06T11:17:53"}, {"id": "OPENVAS:864829", "type": "openvas", "title": "Fedora Update for dokuwiki FEDORA-2012-16614", "description": "Check for the Version of dokuwiki", "published": "2012-11-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=864829", "cvelist": ["CVE-2012-0283", "CVE-2012-3354", "CVE-2011-3727"], "lastseen": "2018-01-02T10:57:05"}, {"id": "OPENVAS:864836", "type": "openvas", "title": "Fedora Update for dokuwiki FEDORA-2012-16605", "description": "Check for the Version of dokuwiki", "published": "2012-11-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=864836", "cvelist": ["CVE-2012-0283", "CVE-2012-3354", "CVE-2012-2129", "CVE-2011-3727"], "lastseen": "2018-01-08T12:58:40"}, {"id": "OPENVAS:1361412562310864836", "type": "openvas", "title": "Fedora Update for dokuwiki FEDORA-2012-16605", "description": "Check for the Version of dokuwiki", "published": "2012-11-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864836", "cvelist": ["CVE-2012-0283", "CVE-2012-3354", "CVE-2012-2129", "CVE-2011-3727"], "lastseen": "2018-04-06T11:20:33"}, {"id": "OPENVAS:1361412562310121006", "type": "openvas", "title": "Gentoo Linux Local Check: https://security.gentoo.org/glsa/201301-07", "description": "Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201301-07", "published": "2015-09-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121006", "cvelist": ["CVE-2010-0288", "CVE-2010-0289", "CVE-2012-0283", "CVE-2011-2510", "CVE-2011-3727", "CVE-2010-0287"], "lastseen": "2018-04-09T11:30:35"}], "nessus": [{"id": "FREEBSD_PKG_2FE4B57FD11011E1AC7610BF48230856.NASL", "type": "nessus", "title": "FreeBSD : Dokuwiki -- XSS vulnerability (2fe4b57f-d110-11e1-ac76-10bf48230856)", "description": "Secunia Research reports :\n\nSecunia Research has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.\n\nInput passed to the 'ns' POST parameter in lib/exe/ajax.php (when 'call' is set to 'medialist' and 'do' is set to 'media') is not properly sanitised within the 'tpl_mediaFileList()' function in inc/template.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.", "published": "2012-07-19T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60055", "cvelist": ["CVE-2012-0283"], "lastseen": "2017-10-29T13:42:31"}, {"id": "FEDORA_2012-16605.NASL", "type": "nessus", "title": "Fedora 16 : dokuwiki-0-0.14.20121013.fc16 (2012-16605)", "description": "upgrade to latest upstream Update to latest upstream\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2012-10-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=62751", "cvelist": ["CVE-2012-0283", "CVE-2012-3354", "CVE-2011-3727"], "lastseen": "2017-10-29T13:34:39"}, {"id": "FEDORA_2012-16614.NASL", "type": "nessus", "title": "Fedora 17 : dokuwiki-0-0.14.20121013.fc17 (2012-16614)", "description": "upgrade to latest upstream Update to latest upstream\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2012-10-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=62752", "cvelist": ["CVE-2012-0283", "CVE-2012-3354", "CVE-2011-3727"], "lastseen": "2017-10-29T13:42:38"}, {"id": "FEDORA_2012-16550.NASL", "type": "nessus", "title": "Fedora 18 : dokuwiki-0-0.14.20121013.fc18 (2012-16550)", "description": "upgrade to latest upstream\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2012-10-25T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=62699", "cvelist": ["CVE-2012-0283", "CVE-2012-3354", "CVE-2011-3727"], "lastseen": "2017-10-29T13:42:36"}, {"id": "GENTOO_GLSA-201301-07.NASL", "type": "nessus", "title": "GLSA-201301-07 : DokuWiki: Multiple vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-201301-07 (DokuWiki: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in DokuWiki. Please review the CVE identifiers referenced below for details.\n Impact :\n\n The vulnerabilities might allow an attacker to disclose local files, to inject arbitrary web script, or to gain elevated privileges in the DokuWiki application.\n Workaround :\n\n There is no known workaround at this time.", "published": "2013-01-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63441", "cvelist": ["CVE-2010-0288", "CVE-2010-0289", "CVE-2012-0283", "CVE-2011-2510", "CVE-2011-3727", "CVE-2010-0287"], "lastseen": "2018-07-12T17:29:33"}], "gentoo": [{"id": "GLSA-201301-07", "type": "gentoo", "title": "DokuWiki: Multiple vulnerabilities", "description": "### Background\n\nDokuWiki is a simple to use Wiki aimed at a small company\u2019s documentation needs. \n\n### Description\n\nMultiple vulnerabilities have been discovered in DokuWiki. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nThe vulnerabilities might allow an attacker to disclose local files, to inject arbitrary web script, or to gain elevated privileges in the DokuWiki application. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll DokuWiki users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/dokuwiki-20121013\"", "published": "2013-01-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201301-07", "cvelist": ["CVE-2010-0288", "CVE-2010-0289", "CVE-2012-0283", "CVE-2011-2510", "CVE-2011-3727", "CVE-2010-0287"], "lastseen": "2016-09-06T19:46:19"}]}}
