Vulnerability Details : CVE-2015-2172
DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API.
Vulnerability category: BypassGain privilege
Products affected by CVE-2015-2172
- cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2172
0.92%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2172
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2015-2172
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2172
-
http://www.securityfocus.com/bid/72827
DokuWiki 'remote.php' Remote Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
-
https://www.dokuwiki.org/changes
changes [DokuWiki]Vendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152994.html
[SECURITY] Fedora 20 Update: dokuwiki-0-0.24.20140929c.fc20Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2015/03/02/2
oss-security - Re: CVE request: DokuWiki privilege escalation in RPC APIMailing List;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153266.html
[SECURITY] Fedora 22 Update: dokuwiki-0-0.24.20140929c.fc22Mailing List;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153062.html
[SECURITY] Fedora 21 Update: dokuwiki-0-0.24.20140929c.fc21Mailing List;Third Party Advisory
-
https://github.com/splitbrain/dokuwiki/commit/4970ad24ce49ec76a0ee67bca7594f918ced2f5f
check permissions in ACL plugin's RPC API component. #1056 · splitbrain/dokuwiki@4970ad2 · GitHubThird Party Advisory
-
https://github.com/splitbrain/dokuwiki/issues/1056
missing permission check in ACL Plugin Remote API part · Issue #1056 · splitbrain/dokuwiki · GitHubThird Party Advisory
-
http://advisories.mageia.org/MGASA-2015-0093.html
Mageia Advisory: MGASA-2015-0093 - Updated dokuwiki packages fix CVE-2015-2172Third Party Advisory
Jump to