627154 – (CVE-2017-12583) <www-apps/dokuwiki-{20160626e, 20170219e}: XSS in the at parameter (aka the DATE_AT variable) to doku.php (CVE-2017-12583)

Bug 627154 (CVE-2017-12583) - <www-apps/dokuwiki-{20160626e, 20170219e}: XSS in the at parameter (aka the DATE_AT variable) to doku.php (CVE-2017-12583)

Summary: <www-apps/dokuwiki-{20160626e, 20170219e}: XSS in the at parameter (aka the D...

Status:	RESOLVED FIXED

Alias:	CVE-2017-12583

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-08-06 08:15 UTC by Aleksandr Wagner (Kivak)
Modified:	2017-08-25 13:32 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-08-06 08:15:20 UTC

CVE-2017-12583 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12583):

DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php. 

References:

https://github.com/splitbrain/dokuwiki/issues/2061

Patch:

https://github.com/phy25/dokuwiki/commit/6057f47313819fa346dce7b72cf3922ba7931f1a

Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2017-08-24 10:04:40 UTC

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c31676125999f57f4e98a7b2c63346f6fe14261f

www-apps/dokuwiki: Add releases 20160626e and 20170219e - security bump to address CVE-2017-{12583,12979,12980}. Fixes bug 627154 and bug 628482.