Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 938729

Summary: <www-apps/dokuwiki-20240206b: stored XSS vulnerability
Product: Gentoo Security Reporter: Viorel Munteanu <ceamac>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/dokuwiki/dokuwiki/issues/4305
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Viorel Munteanu gentoo-dev 2024-08-30 09:24:17 UTC 
Issue

Renderer output can be exported using the ?do=export_<renderer> mechanism. Unintentionally this was also true for the metadata renderer, even though this renderer does not really have "output". However it does use the $doc property of the renderer to render the abstract and never clears that doc. Since this raw document is not escaped for output it could be used to output javascript.

Impact

The vulnerability allows users with write permissions to any page, inject malicious JavaScript which will be output when visiting the metadata export URL. Attackers might trick privileged users to visit that URL and use the JavaScript to extract cookie/authentication data from the victim.
Comment 1 Larry the Git Cow gentoo-dev 2024-08-30 09:27:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1b51008ed603e16c0a87258087e5f6e585eae3d

commit f1b51008ed603e16c0a87258087e5f6e585eae3d
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2024-08-30 09:25:14 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2024-08-30 09:25:14 +0000

    www-apps/dokuwiki: add 20240206b
    
    Security update.
    
    Bug: https://bugs.gentoo.org/938729
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 www-apps/dokuwiki/Manifest                  |  1 +
 www-apps/dokuwiki/dokuwiki-20240206b.ebuild | 85 +++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2024-08-31 06:08:12 UTC 
No stable versions so no need for a GLSA.

All done, thanks!