CVE-2007-3930

Name of the Vulnerable Software and Affected Versions: DocuWiki versions prior to 2007-06-26b

Description: The issue arises from an interpretation conflict between Microsoft Internet Explorer and DocuWiki, allowing remote attackers to inject arbitrary JavaScript and conduct cross-site scripting (XSS) attacks. This occurs when spellchecking UTF-8 encoded messages via the spell utf8test function in lib/exe/spellcheck.php. The function triggers HTML document identification and script execution by Internet Explorer, despite the Content-Type header being set to text/plain.

Recommendations: For versions prior to 2007-06-26b, update to a version released after 2007-06-26b to resolve the issue. As a temporary workaround, consider disabling the spell utf8test function in lib/exe/spellcheck.php to minimize the risk of exploitation. Restrict access to the spellcheck functionality in DocuWiki to reduce the attack surface.