CGI::FormBuilder->field has a context-dependent API, similar to the CGI->param API that led to Bugzilla's CVE-2014-1572. Parts of ikiwiki incorrectly called this method in list context when a scalar result, which could lead to two relatively minor attacks: In the comments plugin, an attacker who was able to post a comment could give it a user-specified author and author-URL even if the wiki configuration did not allow for that, by crafting multiple values to other fields. Also, in the editpage plugin, an attacker who was able to edit a page could potentially forge commit authorship by crafting multiple values for the rcsinfo field. References: http://seclists.org/oss-sec/2016/q4/778
Created ikiwiki tracking bugs for this issue: Affects: fedora-all [bug 1406695] Affects: epel-6 [bug 1406696]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.