CVE-2016-7965
Published on: 10/31/2016 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:06 PM UTC
Certain versions of Dokuwiki from Dokuwiki contain the following vulnerability:
DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).
- CVE-2016-7965 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 6.5 - MEDIUM
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
|---|---|---|---|---|
| NETWORK | LOW | NONE | REQUIRED | |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
| UNCHANGED | NONE | HIGH | NONE |
CVSS2 Score: 4.3 - MEDIUM
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| NETWORK | MEDIUM | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| NONE | PARTIAL | NONE |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| DokuWiki CVE-2016-7965 Host Address Spoofing Vulnerability | cve.report (archive) text/html |
BID 94237 |
| Password Reset Address Spoof Vulnerability in DokuWiki · Issue #1709 · splitbrain/dokuwiki · GitHub | Exploit Vendor Advisory github.com text/html |
CONFIRM github.com/splitbrain/dokuwiki/issues/1709 |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Dokuwiki | Dokuwiki | All | All | All | All |
- cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE