Source: dokuwiki Version: 0.0.20160626.a-1 Severity: normal Tags: security upstream Forwarded: https://github.com/splitbrain/dokuwiki/issues/1709
Hi, the following vulnerability was published for dokuwiki. TTBOMK, it looks like upstream does not plan to address this/plan to mark it as wontfix. CVE-2016-7965[0]: | DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the | baseurl setting as part of the password-reset URL. This can lead to | phishing attacks. (A remote unauthenticated attacker can change the | URL's hostname via the HTTP Host header.) The vulnerability can be | triggered only if the Host header is not part of the web server routing | process (e.g., if several domains are served by the same web server). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-7965 [1] https://github.com/splitbrain/dokuwiki/issues/1709 Regards, Salvatore