Bug 717146 (CVE-2011-2510) - CVE-2011-2510 dokuwiki: XSS in DokuWiki's RSS embedding mechanism
Summary: CVE-2011-2510 dokuwiki: XSS in DokuWiki's RSS embedding mechanism
Alias: CVE-2011-2510
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: public=20110614,reported=20110627,sou...
Depends On: 717148 717149
TreeView+ depends on / blocked
Reported: 2011-06-28 07:14 UTC by Jan Lieskovsky
Modified: 2019-06-08 18:51 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-08-12 22:13:21 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2011-06-28 07:14:16 UTC
It was found that DokuWiki's RSS embedding mechanism did not properly
escape user-provided links. An attacker could use this flaw to conduct
cross-site scripting (XSS) attacks, potentially leading to arbitrary
JavaScript code execution.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631818
[2] http://www.certa.ssi.gouv.fr/site/CERTA-2011-AVI-366/CERTA-2011-AVI-366.html
[3] http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind

This issue has been addressed in upstream "2011-05-25 Rincewind" release:
[4] http://www.dokuwiki.org/changes

Comment 1 Jan Lieskovsky 2011-06-28 07:20:45 UTC
This issue affects the versions of the dokuwiki package, as shipped with
Fedora release of 14 and 15.


This issue affects the versions of the dokuwiki package, as present within
EPEL-5 and EPEL-6 repositories. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-06-28 07:21:48 UTC
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2011/06/28/5

Comment 3 Jan Lieskovsky 2011-06-28 07:22:50 UTC
Created dokuwiki tracking bugs for this issue

Affects: epel-all [bug 717148]
Affects: fedora-all [bug 717149]

Comment 4 Jan Lieskovsky 2011-06-30 08:10:59 UTC
The CVE identifier of CVE-2011-2510 has been assigned to this issue:

Note You need to log in before you can comment on or make changes to this bug.