PT-2018-13040 · Dokuwiki · Dokuwiki
Jean-Benjamin Rousseau
·
Published
2018-09-07
·
Updated
2024-08-05
·
CVE-2018-15474
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
DokuWiki versions 2018-04-22a and earlier
Description
The issue allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export in the /lib/plugins/usermanager/admin.php file. The vendor has stated that this is not a security problem in DokuWiki.
Recommendations
For DokuWiki versions 2018-04-22a and earlier, consider disabling the CSV export feature in the /lib/plugins/usermanager/admin.php file until a resolution is provided by the vendor.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dokuwiki