CVE-2017-12980

Name of the Vulnerable Software and Affected Versions DokuWiki versions prior to 2017-02-19c

Description The issue allows for stored XSS when rendering malicious RSS or Atom feeds, specifically in the /inc/parser/xhtml.php file. An attacker can exploit this by creating or editing a wiki that uses RSS or Atom data from an attacker-controlled server, triggering JavaScript execution. The JavaScript can be embedded in an author field, such as the dc:creator element.

Recommendations For DokuWiki versions prior to 2017-02-19c, consider restricting the use of RSS or Atom feeds from untrusted sources until a patch is available. As a temporary workaround, avoid using the /inc/parser/xhtml.php file for rendering feeds from potentially malicious servers.