Vulnerability CVE-2011-2510

Vulnerability Name:

CVE-2011-2510 (CCN-68122)

Assigned:

2011-06-14

Published:

2011-06-14

Updated:

2017-08-29

Summary:

Cross-site scripting (XSS) vulnerability in the RSS embedding feature in DokuWiki before 2011-05-25a Rincewind allows remote attackers to inject arbitrary web script or HTML via a link.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Gain Access

References:

Source: CONFIRM
Type: Patch
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631818

Source: MITRE
Type: CNA
CVE-2011-2510

Source: FEDORA
Type: UNKNOWN
FEDORA-2011-8831

Source: FEDORA
Type: UNKNOWN
FEDORA-2011-8816

Source: CCN
Type: SA45009
DokuWiki rss Script Insertion Vulnerability

Source: SECUNIA
Type: Vendor Advisory
45009

Source: SECUNIA
Type: Vendor Advisory
45190

Source: GENTOO
Type: UNKNOWN
GLSA-201301-07

Source: MISC
Type: UNKNOWN
http://www.certa.ssi.gouv.fr/site/CERTA-2011-AVI-366/CERTA-2011-AVI-366.html

Source: DEBIAN
Type: UNKNOWN
DSA-2320

Source: DEBIAN
Type: DSA-2320
dokuwiki -- regression fix

Source: MISC
Type: UNKNOWN
http://www.dokuwiki.org/changes

Source: CCN
Type: DokuWiki Mailinglist
Hotfix Release "2011-05-25a Rincewind"

Source: MLIST
Type: Patch
[dokuwiki] 20110614 Hotfix Release "2011-05-25a Rincewind"

Source: MLIST
Type: Patch
[oss-security] 20110628 CVE Request -- DokuWiki -- XSS in DokuWiki's RSS embedding mechanism

Source: MLIST
Type: Patch
[oss-security] 20110629 Re: CVE Request -- DokuWiki -- XSS in DokuWiki's RSS embedding mechanism

Source: CCN
Type: OSVDB ID: 73200
DokuWiki RSS Link rss Tag XSS

Source: BID
Type: UNKNOWN
48364

Source: CCN
Type: BID-48364
Dokuwiki 'url' HTML Injection Vulnerability

Source: CCN
Type: DokuWiki Web site
DokuWiki

Source: CONFIRM
Type: Patch
https://bugzilla.redhat.com/show_bug.cgi?id=717146

Source: XF
Type: UNKNOWN
dokuwiki-rss-xss(68122)

Source: XF
Type: UNKNOWN
dokuwiki-rss-xss(68122)

Vulnerable Configuration:

Configuration 1:

cpe:/a:dokuwiki:dokuwiki:2005-07-01:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2005-07-13:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2005-09-19:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2005-09-22:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2006-03-05:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2006-03-09:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2006-11-06:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2007-06-26:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2008-05-05:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2009-02-14b:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:2009-12-25c:*:*:*:*:*:*:*

OR cpe:/a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:* (Version <= 2010-11-07a)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:15193	P	DSA-2320-1 dokuwiki -- regression fix	2014-06-23
oval:com.ubuntu.precise:def:20112510000	V	CVE-2011-2510 on Ubuntu 12.04 LTS (precise) - low.	2011-07-14

BACK