Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2016-7965

Published: 31 October 2016

DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).

Notes

AuthorNote
ebarretto
Setting to ignored as upstream won't fix it.
Maintainer note:
Autodetecting the host is an important feature for setting up
wiki farms and it is a major convenience factor for our users
(on installation, on moving the wiki between servers and
accessing it from different network locations), so I'm leaning
towards a WONTFIX here.

Priority

Medium

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
dokuwiki
Launchpad, Ubuntu, Debian
artful Ignored
(end of life)
bionic Ignored

cosmic Ignored

precise Ignored
(end of life)
trusty Does not exist
(trusty was ignored)
upstream Needs triage

xenial Ignored

yakkety Ignored
(end of life)
zesty Ignored
(end of life)

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N