Description
CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki.
References (4)
Core 4
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/splitbrain/dokuwiki/issues/2450
Exploit, Third Party Advisory x_refsource_misc
https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability/
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
https://seclists.org/fulldisclosure/2018/Sep/4
Various Sources x_refsource_misc
https://www.patreon.com/posts/unfixed-security-21250652
Scores
CVSS v3
9.6
EPSS
0.0333
EPSS Percentile
87.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
dokuwiki/dokuwiki
< 2018-04-22a
Published
Sep 07, 2018
Tracked Since
Feb 18, 2026