VDB

GCVE-110-MAGEIA-2014-438

GCVE-110-MAGEIA-2014-438
Advisory Published
Vulnetix · Advisory published October 31, 2014
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call (CVE-2014-8761). The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter (CVE-2014-8762). DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind (CVE-2014-8763). DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind (CVE-2014-8764).

Affected Products

VendorProductVersionsPlatforms
Mageiadokuwiki20140929-1.1.mga3 (unaffected), 0 (affected)
Mageiadokuwiki0 (affected), 20140929-1.1.mga4 (unaffected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›