info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1011056: dokuwiki: CVE-2022-28919 XSS vulnerability via the function _generateFilename
1 view
Skip to first unread message
Neil Williams
May 16, 2022, 5:20:04 AM5/16/22
to
Source: dokuwiki
Version: 0.0.20200729-0.1
Severity: important
Tags: security
X-Debbugs-Cc: code...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for dokuwiki.
CVE-2022-28919[0]:
| HTMLCreator release_stable_2020-07-29 was discovered to contain a
| cross-site scripting (XSS) vulnerability via the function
| _generateFilename.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-28919
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28919
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Version: 0.0.20200729-0.1
Severity: important
Tags: security
X-Debbugs-Cc: code...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for dokuwiki.
CVE-2022-28919[0]:
| HTMLCreator release_stable_2020-07-29 was discovered to contain a
| cross-site scripting (XSS) vulnerability via the function
| _generateFilename.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-28919
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28919
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Axel Beckert
May 16, 2022, 5:40:04 AM5/16/22
to
Control: forwarded -1 https://github.com/splitbrain/dokuwiki/issues/3651
Control: tag -1 + fixed-upstream
Control: found -1 0.0.20220317~gitaeff85c-0.1~exp1
Hi Neil,
thanks for the bug report.
Neil Williams wrote:
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-28919
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28919
The relevant information seems to be in
https://github.com/splitbrain/dokuwiki/issues/3651
> Please adjust the affected versions in the BTS as needed.
Thanks for the reminder. I updated the upper limit based on its date
and the information in the upstream bug report that the fix was made
just four days ago.
Upstream though hasn't made any new upstream release with this fix
yet, so we will either do an upload of a git snapshot or
cherry-picking that commit. (JFTR, mostly for Anton: Upstream's
release plans for the next stable release are here:
https://github.com/splitbrain/dokuwiki/projects/6)
Figuring out which older releases are affected likely needs some more
digging in upstream's and/or in the library's upstream git repo.
Regards, Axel
--
,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Control: tag -1 + fixed-upstream
Control: found -1 0.0.20220317~gitaeff85c-0.1~exp1
Hi Neil,
thanks for the bug report.
Neil Williams wrote:
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-28919
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28919
https://github.com/splitbrain/dokuwiki/issues/3651
> Please adjust the affected versions in the BTS as needed.
and the information in the upstream bug report that the fix was made
just four days ago.
Upstream though hasn't made any new upstream release with this fix
yet, so we will either do an upload of a git snapshot or
cherry-picking that commit. (JFTR, mostly for Anton: Upstream's
release plans for the next stable release are here:
https://github.com/splitbrain/dokuwiki/projects/6)
Figuring out which older releases are affected likely needs some more
digging in upstream's and/or in the library's upstream git repo.
Regards, Axel
--
,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
0 new messages