It was found that DokuWiki's RSS embedding mechanism did not properly escape user-provided links. An attacker could use this flaw to conduct cross-site scripting (XSS) attacks, potentially leading to arbitrary JavaScript code execution. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631818 [2] http://www.certa.ssi.gouv.fr/site/CERTA-2011-AVI-366/CERTA-2011-AVI-366.html [3] http://www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-Rincewind Solution: This issue has been addressed in upstream "2011-05-25 Rincewind" release: [4] http://www.dokuwiki.org/changes
This issue affects the versions of the dokuwiki package, as shipped with Fedora release of 14 and 15. -- This issue affects the versions of the dokuwiki package, as present within EPEL-5 and EPEL-6 repositories. Please schedule an update.
CVE Request: [5] http://www.openwall.com/lists/oss-security/2011/06/28/5
Created dokuwiki tracking bugs for this issue Affects: epel-all [bug 717148] Affects: fedora-all [bug 717149]
The CVE identifier of CVE-2011-2510 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2011/06/29/13