VDB
CVE-2016-7965
CVE-2016-7965
PUBLISHED
DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).
EPSS 0.41% · 61.7th percentile
Risk Scores
EPSS Score
0.41%
61.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | dokuwiki | 0, 0.0.20160626.a-2 |
| Ubuntu:16.04:LTS | dokuwiki | 0, 0.0.20140929.d-1ubuntu1, * |
Exploit Intelligence
- https://github.com/splitbrain/dokuwiki/issues/1709 (nist-nvd)
- 94237 (circl)
Timeline
- Oct 31, 2016 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 17, 2022 CVE Updated
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2016-7965 third-party-advisory
- https://github.com/splitbrain/dokuwiki/issues/1709 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2016-7965 third-party-advisory