Bug 717146 - (CVE-2011-2510) CVE-2011-2510 dokuwiki: XSS in DokuWiki's RSS embedding mechanism
CVE-2011-2510 dokuwiki: XSS in DokuWiki's RSS embedding mechanism
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 717148 717149
  Show dependency treegraph
Reported: 2011-06-28 03:14 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:04 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-08-12 18:13:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-06-28 03:14:16 EDT
It was found that DokuWiki's RSS embedding mechanism did not properly
escape user-provided links. An attacker could use this flaw to conduct
cross-site scripting (XSS) attacks, potentially leading to arbitrary
JavaScript code execution.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631818
[2] http://www.certa.ssi.gouv.fr/site/CERTA-2011-AVI-366/CERTA-2011-AVI-366.html
[3] http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind

This issue has been addressed in upstream "2011-05-25 Rincewind" release:
[4] http://www.dokuwiki.org/changes
Comment 1 Jan Lieskovsky 2011-06-28 03:20:45 EDT
This issue affects the versions of the dokuwiki package, as shipped with
Fedora release of 14 and 15.


This issue affects the versions of the dokuwiki package, as present within
EPEL-5 and EPEL-6 repositories. Please schedule an update.
Comment 2 Jan Lieskovsky 2011-06-28 03:21:48 EDT
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2011/06/28/5
Comment 3 Jan Lieskovsky 2011-06-28 03:22:50 EDT
Created dokuwiki tracking bugs for this issue

Affects: epel-all [bug 717148]
Affects: fedora-all [bug 717149]
Comment 4 Jan Lieskovsky 2011-06-30 04:10:59 EDT
The CVE identifier of CVE-2011-2510 has been assigned to this issue:

Note You need to log in before you can comment on or make changes to this bug.