Lucene search

Gentoo FoundationMGASA-2014-0540

HistoryDec 19, 2014 - 6:17 p.m.

Updated docuwiki package fixes CVE-2014-9253

2014-12-1918:17:07

Gentoo Foundation

advisories.mageia.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

61.3%

JSON

Updated dokuwiki package fix a security vulnerability: Our current dokuwiki-20140929-1.1.mga4 package uses dokuwiki-2014-09-29a source which allows swf (application/x-shockwave-flash) uploads by default. This may be used for Cross-site scripting (XSS) attack which enables attackers to inject client-side script into Web pages viewed by other users. (CVE-2014-9253). This update uses dokuwiki-2014-09-29b hotfix source which disables swf uploads by default and fixes the issue.

OSVersionArchitecturePackageVersionFilename
Mageia4noarchdokuwiki< 20140929-1.2dokuwiki-20140929-1.2.mga4

OS	Version	Architecture	Package	Version	Filename
Mageia	4	noarch	dokuwiki	< 20140929-1.2	dokuwiki-20140929-1.2.mga4

References

en.wikipedia.org/wiki/Cross-site_scripting

openwall.com/lists/oss-security/2014/12/15/4

security.szurek.pl/dokuwiki-20140929a-xss.html

bugs.mageia.org/show_bug.cgi?id=14807

www.dokuwiki.org/changes#release_2014-09-29_hrun

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

61.3%

JSON

Related for MGASA-2014-0540