[arch-security] [ASA-201412-19] dokuwiki: cross-site scripting
Levente Polyak
anthraxx at archlinux.org
Tue Dec 16 15:19:24 UTC 2014
Arch Linux Security Advisory ASA-201412-19
==========================================
Severity: Medium
Date : 2014-12-16
CVE-ID : CVE-2014-9253
Package : dokuwiki
Type : cross-site scripting
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
Summary
=======
The package dokuwiki before version 20140929_b-1 is vulnerable to
cross-site scripting.
Resolution
==========
Upgrade to 20140929_b-1.
# pacman -Syu "dokuwiki>=20140929_b-1"
The problem has been fixed upstream in version 20140929_b.
Workaround
==========
None.
Description
===========
It was discovered that dokuwiki did not sufficiently filter uploaded
files. A remote attacker with upload access is able to use this flaw in
order to upload SWF files leading to possible cross-site scripting.
Impact
======
A remote attacker with upload access is able to craft a SWF file to
perform a cross-site scripting attack.
References
==========
https://access.redhat.com/security/cve/CVE-2014-9253
http://seclists.org/oss-sec/2014/q4/1050
https://www.dokuwiki.org/changes#release_2014-09-29b_hrun
https://github.com/splitbrain/dokuwiki/commit/778ddf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141216/6cab6802/attachment.bin>
More information about the arch-security
mailing list