dokuwiki: CVE-2022-28919 XSS vulnerability via the function _generateFilename

Debian Bug report logs - #1011056
dokuwiki: CVE-2022-28919 XSS vulnerability via the function _generateFilename

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dokuwiki: CVE-2022-28919 XSS vulnerability via the function _generateFilename

Date: Mon, 16 May 2022 10:09:52 +0100

Source: dokuwiki
Version: 0.0.20200729-0.1
Severity: important
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for dokuwiki.

CVE-2022-28919[0]:
| HTMLCreator release_stable_2020-07-29 was discovered to contain a
| cross-site scripting (XSS) vulnerability via the function
| _generateFilename.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-28919
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28919

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Message #10 received at 1011056@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Neil Williams <codehelp@debian.org>, 1011056@bugs.debian.org

Subject: Re: Bug#1011056: dokuwiki: CVE-2022-28919 XSS vulnerability via the function _generateFilename

Date: Mon, 16 May 2022 11:30:09 +0200

[Message part 1 (text/plain, inline)]

Control: forwarded -1 https://github.com/splitbrain/dokuwiki/issues/3651
Control: tag -1 + fixed-upstream
Control: found -1 0.0.20220317~gitaeff85c-0.1~exp1

Hi Neil,

thanks for the bug report.

Neil Williams wrote:
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2022-28919
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28919

The relevant information seems to be in
https://github.com/splitbrain/dokuwiki/issues/3651

> Please adjust the affected versions in the BTS as needed.

Thanks for the reminder. I updated the upper limit based on its date
and the information in the upstream bug report that the fix was made
just four days ago.

Upstream though hasn't made any new upstream release with this fix
yet, so we will either do an upload of a git snapshot or
cherry-picking that commit. (JFTR, mostly for Anton: Upstream's
release plans for the next stable release are here:
https://github.com/splitbrain/dokuwiki/projects/6)

Figuring out which older releases are affected likely needs some more
digging in upstream's and/or in the library's upstream git repo.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.