Bug#1036279: XSS in RSS syntax
Control: retitle -1 dokuwiki: CVE-2023-34408: XSS in RSS syntax Hi, On Thu, May 18, 2023 at 03:19:05PM +0200, Moritz Muehlenhoff wrote: > Source: dokuwiki > Version: 0.0.20220731.a-1 > Severity: grave > Tags: security > X-Debbugs-Cc: Debian Security Team > > No CVE yet: > https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/ > https://github.com/dokuwiki/dokuwiki/pull/3967 > https://www.github.com/splitbrain/dokuwiki/commit/53df38b0e4465894a67a5890f74a6f5f82e827de CVE-2023-34408 has been assigned for this issue. Regards, Salvatore
Bug#1036279: XSS in RSS syntax
Hi Moritz, Moritz Muehlenhoff wrote: > Severity: grave Thanks for the severity assessment by the security team. I wasn't really sure if this is RC or "just important". I've had a look at the new upstream tar balls, but the diff is unfortunately huge: $ tardiff dokuwiki-2022-07-31{a,b}.tgz - composer.json - composer.lock - data/pages/playground - data/pages/playground/playground.txt - lib/plugins/authpdo/_test - lib/plugins/authpdo/_test/mysql - lib/plugins/authpdo/_test/mysql.test.php - lib/plugins/authpdo/_test/mysql/fluxbb.php - lib/plugins/authpdo/_test/mysql/fluxbb.sql - lib/plugins/authpdo/_test/mysql/mybb.php - lib/plugins/authpdo/_test/mysql/mybb.sql - lib/plugins/authpdo/_test/mysql/wordpress.php - lib/plugins/authpdo/_test/mysql/wordpress.sql - lib/plugins/authpdo/_test/pgsql - lib/plugins/authpdo/_test/pgsql.test.php - lib/plugins/authpdo/_test/pgsql/django.php - lib/plugins/authpdo/_test/pgsql/django.sql - lib/plugins/authpdo/_test/sqlite.test.php - lib/plugins/authpdo/_test/test.sqlite3 - lib/plugins/authplain/_test - lib/plugins/authplain/_test/conf - lib/plugins/authplain/_test/conf/auth.users.php - lib/plugins/authplain/_test/escaping.test.php - lib/plugins/authplain/_test/userdata.test.php - lib/plugins/config/_test - lib/plugins/config/_test/ConfigParserTest.php - lib/plugins/config/_test/DocumentationTest.php - lib/plugins/config/_test/LoaderExtraDefaultsTest.php - lib/plugins/config/_test/LoaderTest.php - lib/plugins/config/_test/Setting - lib/plugins/config/_test/Setting/AbstractSettingTest.php - lib/plugins/config/_test/Setting/SettingArrayTest.php - lib/plugins/config/_test/Setting/SettingNumericTest.php - lib/plugins/config/_test/Setting/SettingNumericoptTest.php - lib/plugins/config/_test/Setting/SettingOnoffTest.php - lib/plugins/config/_test/Setting/SettingStringTest.php - lib/plugins/config/_test/Setting/SettingTest.php - lib/plugins/config/_test/WriterTest.php - lib/plugins/config/_test/data - lib/plugins/config/_test/data/config.php - lib/plugins/config/_test/data/metadata.php - lib/plugins/extension/_test - lib/plugins/extension/_test/extension.test.php - lib/plugins/extension/_test/testdata - lib/plugins/extension/_test/testdata/either1 - lib/plugins/extension/_test/testdata/either1/script.js - lib/plugins/extension/_test/testdata/eithersub2 - lib/plugins/extension/_test/testdata/eithersub2/either2 - lib/plugins/extension/_test/testdata/eithersub2/either2/script.js - lib/plugins/extension/_test/testdata/plgfoo5 - lib/plugins/extension/_test/testdata/plgfoo5/plugin.info.txt - lib/plugins/extension/_test/testdata/plgsub3 - lib/plugins/extension/_test/testdata/plgsub3/plugin3 - lib/plugins/extension/_test/testdata/plgsub3/plugin3/syntax.php - lib/plugins/extension/_test/testdata/plgsub4 - lib/plugins/extension/_test/testdata/plgsub4/plugin4 - lib/plugins/extension/_test/testdata/plgsub4/plugin4/plugin.info.txt - lib/plugins/extension/_test/testdata/plgsub6 - lib/plugins/extension/_test/testdata/plgsub6/plgfoo6 - lib/plugins/extension/_test/testdata/plgsub6/plgfoo6/plugin.info.txt - lib/plugins/extension/_test/testdata/plugin1 - lib/plugins/extension/_test/testdata/plugin1/syntax.php - lib/plugins/extension/_test/testdata/plugin2 - lib/plugins/extension/_test/testdata/plugin2/plugin.info.txt - lib/plugins/extension/_test/testdata/template1 - lib/plugins/extension/_test/testdata/template1/main.php - lib/plugins/extension/_test/testdata/template1/style.ini - lib/plugins/extension/_test/testdata/template2 - lib/plugins/extension/_test/testdata/template2/template.info.txt - lib/plugins/extension/_test/testdata/tplfoo5 - lib/plugins/extension/_test/testdata/tplfoo5/template.info.txt - lib/plugins/extension/_test/testdata/tplsub3 - lib/plugins/extension/_test/testdata/tplsub3/template3 - lib/plugins/extension/_test/testdata/tplsub3/template3/main.php - lib/plugins/extension/_test/testdata/tplsub3/template3/style.ini - lib/plugins/extension/_test/testdata/tplsub4 - lib/plugins/extension/_test/testdata/tplsub4/template4 - lib/plugins/extension/_test/testdata/tplsub4/template4/template.info.txt - lib/plugins/extension/_test/testdata/tplsub6 - lib/plugins/extension/_test/testdata/tplsub6/tplfoo6 - lib/plugins/extension/_test/testdata/tplsub6/tplfoo6/template.info.txt - lib/plugins/styling/.travis.yml - lib/plugins/styling/_test - lib/plugins/styling/_test/colors.test.php - lib/plugins/styling/_test/general.test.php - lib/plugins/testing - lib/plugins/testing/_test - lib/plugins/testing/_test/dummy_plugin_integration_test.test.php - lib/plugins/testing/_test/dummy_plugin_test.test.php - lib/plugins/testing/action.php - lib/plugins/testing/conf - lib/plugins/testing/conf/default.php - lib/plugins/testing/conf/metadata.php - lib/plugins/testing/lang - lib/plugins/testing/lang/en - lib/plugins/testing/lang/en/settings.php - lib/plugins/testing/plugin.info.txt - lib/plugins/usermanager/_test - lib/plugins/usermanager/_test/csv_export.test.php -
Bug#1036279: XSS in RSS syntax
Source: dokuwiki Version: 0.0.20220731.a-1 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team No CVE yet: https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/ https://github.com/dokuwiki/dokuwiki/pull/3967 https://www.github.com/splitbrain/dokuwiki/commit/53df38b0e4465894a67a5890f74a6f5f82e827de Cheers, Moritz