CVE-2016-7964
HIGHDokuWiki 2016-06-26a - Server-Side Request Forgery via Media File Fetching
Title source: manualDescription
The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. This allows users to scan ports of internal networks via SSRF, such as 10.0.0.1/8, 172.16.0.0/12, and 192.168.0.0/16.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94245
Patch, Third Party Advisory x_refsource_confirm
https://github.com/splitbrain/dokuwiki/issues/1708
Scores
CVSS v3
8.6
EPSS
0.0181
EPSS Percentile
75.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (1)
dokuwiki/dokuwiki
2016-06-26a
Published
Oct 31, 2016
Tracked Since
Feb 18, 2026