MGASA-2012-0207
| Date: | August 12th, 2012 |
| Affected releases: | 2 |
Description:
Updated dokuwiki package fixes security vulnerabilities:
Cross-site scripting (XSS) vulnerability in the tpl_mediaFileList
function in inc/template.php in DokuWiki before 2012-01-25b allows
remote attackers to inject arbitrary web script or HTML via the ns
parameter in a medialist action to lib/exe/ajax.php
(SA49196, CVE-2012-0283).
A cross-site scripting (XSS) and cross-site request forgery (CSRF)
flaws were found in the way DokuWiki, a standards compliant, simple
to use Wiki, performed sanitization of the 'target' parameter when
preprocessing edit form data. A remote attacker could provide a
specially-crafted URL, which once visited by a valid DokuWiki user
would lead to arbitrary HTML or web script execution in the context
of logged in DokuWiki user (SA48848, CVE-2012-2128, CVE-2012-2129).
Updated Packages:
dokuwiki-20120125-1.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2129
https://secunia.com/advisories/48848/
http://www.securelist.com/en/advisories/49196
https://www.dokuwiki.org/changes
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081284.html
https://bugs.mageia.org/show_bug.cgi?id=6166
