DokuWiki persistent Cross Site Scripting

By | 2017-10-26T13:00:19+00:00 23 March 2015|Tags: |
Advisory ID:SGMA15-001
Title:DokuWiki persistent Cross Site Scripting
Version:2014-09-29c and probably prior
Vulnerability type:Persistent XSS
Risk level:Medium
Credit:Filippo Cavallarin -
Vendor notification:2015-03-18
Vendor Fix:2015-03-19
Public disclosure:2015-03-23


DokuWiki version 2014-09-29c (and probably prior) is vulnerable to Persistent Cross Site Scriptng in the admin page.

An attacker may use this vulnerability to execute javascript in the context of a logged admin user.
Since the vulnerable page has forms with the CSRF token (the same for all requests), a full backend compromise may be possible.
To successfully exploit this vulenrability an attacked must:
1. have an account on the target site
2. trick and admin to visit a link or to edit user account


1. change your account real name to:

my name" autofocus onfocus="alert('code executed')

2. login as admin and try to edit the user profile from User Manager



Apply the latest hotfix from vendor’s site