CVE-2015-2172 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2015-2172

CVE-2015-2172

March 30, 2015

DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API.

Related Resources (10)

https://github.com/splitbrain/dokuwiki/commit/4970ad24ce49ec76a0ee67bca7594f918ced2f5f

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153266.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/152994.html

https://www.dokuwiki.org/changes

http://www.securityfocus.com/bid/72827

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153062.html

http://www.openwall.com/lists/oss-security/2015/03/02/2

https://security-tracker.debian.org/tracker/CVE-2015-2172

https://github.com/splitbrain/dokuwiki/issues/1056

http://advisories.mageia.org/MGASA-2015-0093.html

Do you need more information?

CVSS v4

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

CVSS v2

Base Score:

6.5

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Weakness Type (CWE)

Improper Access Control

CWE-284

EPSS

Base Score:

1.76

Products

Solutions

Resources

Company

Compare

Developer Tools