Issue Renderer output can be exported using the ?do=export_<renderer> mechanism. Unintentionally this was also true for the metadata renderer, even though this renderer does not really have "output". However it does use the $doc property of the renderer to render the abstract and never clears that doc. Since this raw document is not escaped for output it could be used to output javascript. Impact The vulnerability allows users with write permissions to any page, inject malicious JavaScript which will be output when visiting the metadata export URL. Attackers might trick privileged users to visit that URL and use the JavaScript to extract cookie/authentication data from the victim.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1b51008ed603e16c0a87258087e5f6e585eae3d commit f1b51008ed603e16c0a87258087e5f6e585eae3d Author: Viorel Munteanu <ceamac@gentoo.org> AuthorDate: 2024-08-30 09:25:14 +0000 Commit: Viorel Munteanu <ceamac@gentoo.org> CommitDate: 2024-08-30 09:25:14 +0000 www-apps/dokuwiki: add 20240206b Security update. Bug: https://bugs.gentoo.org/938729 Signed-off-by: Viorel Munteanu <ceamac@gentoo.org> www-apps/dokuwiki/Manifest | 1 + www-apps/dokuwiki/dokuwiki-20240206b.ebuild | 85 +++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+)
No stable versions so no need for a GLSA. All done, thanks!
