CVE-2014-8761 : inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attack

inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.

Published 2014-10-22 14:55:08

Updated 2015-09-10 15:56:52

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2014-8761

Probability of exploitation activity in the next 30 days: 0.66%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 77 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-8761

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-8761

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-8761

http://www.openwall.com/lists/oss-security/2014/10/13/3

oss-security - CVE request: various security flaws in dokuwiki

CVEs referencing this url
http://advisories.mageia.org/MGASA-2014-0438.html

Mageia Advisory: MGASA-2014-0438 - Updated dokuwiki packages fix security vulnerabilities

CVEs referencing this url
https://bugs.dokuwiki.org/index.php?do=details&task_id=2647#comment6204

FS#2647 $NS is deleted, but template.php ajax.php mediamanager.php still use it.
http://www.debian.org/security/2014/dsa-3059

Debian -- Security Information -- DSA-3059-1 dokuwiki

CVEs referencing this url
https://github.com/splitbrain/dokuwiki/issues/765

ACL checks in the media file details ajax calls only for root/arbitrary namespace · Issue #765 · splitbrain/dokuwiki · GitHub

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2014/10/16/9

oss-security - Re: CVE request: various security flaws in dokuwiki

CVEs referencing this url

Products affected by CVE-2014-8761

Dokuwiki » Dokuwiki
Versions up to, including, (<=) 2013-12-08
cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2014-8761

Exploit prediction scoring system (EPSS) score for CVE-2014-8761

CVSS scores for CVE-2014-8761

CWE ids for CVE-2014-8761

References for CVE-2014-8761

Products affected by CVE-2014-8761