CVE-2016-7965
Summary
| CVE | CVE-2016-7965 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-10-31 10:59:00 UTC |
| Updated | 2016-11-28 20:40:00 UTC |
| Description | DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server). |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| DokuWiki CVE-2016-7965 Host Address Spoofing Vulnerability | BID | www.securityfocus.com | |
| Password Reset Address Spoof Vulnerability in DokuWiki · Issue #1709 · splitbrain/dokuwiki · GitHub | CONFIRM | github.com | Exploit, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.