oss-sec mailing list archives
Re: CVE Request -- DokuWiki -- XSS in DokuWiki's RSS embedding mechanism
From: Josh Bressers <bressers () redhat com>
Date: Wed, 29 Jun 2011 15:55:11 -0400 (EDT)
Please use CVE-2011-2510. Thanks. -- JB ----- Original Message -----
Hello Josh, Steve, vendors, it was found that DokuWiki's RSS embedding mechanism did not properly escape user-provided links. An attacker could use this flaw to conduct cross-site scripting (XSS) attacks, potentially leading to arbitrary JavaScript code execution. References: ----------- [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631818 [2] http://www.certa.ssi.gouv.fr/site/CERTA-2011-AVI-366/CERTA-2011-AVI-366.html [3] http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind [4] https://bugzilla.redhat.com/show_bug.cgi?id=717146 Solution: --------- This issue has been addressed in upstream "2011-05-25 Rincewind" release: [5] http://www.dokuwiki.org/changes This issue doesn't seem to have a CVE identifier yet. Could you allocate one? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- DokuWiki -- XSS in DokuWiki's RSS embedding mechanism Jan Lieskovsky (Jun 28)
- Bug#631818: Info received (CVE Request -- DokuWiki -- XSS in DokuWiki's RSS embedding mechanism) Debian Bug Tracking System (Jun 28)
- Re: CVE Request -- DokuWiki -- XSS in DokuWiki's RSS embedding mechanism Josh Bressers (Jun 29)