Arch Linux: ASA-202312-27 Medium: DokuWiki Reflected XSS Vulnerability

Arch Linux Security Advisory ASA-201412-19
=========================================
Severity: Medium
Date    : 2014-12-16
CVE-ID  : CVE-2014-9253
Package : dokuwiki
Type    : cross-site scripting
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package dokuwiki before version 20140929_b-1 is vulnerable to
cross-site scripting.

Resolution
=========
Upgrade to 20140929_b-1.

# pacman -Syu "dokuwiki>=20140929_b-1"

The problem has been fixed upstream in version 20140929_b.

Workaround
=========
None.

Description
==========
It was discovered that dokuwiki did not sufficiently filter uploaded
files. A remote attacker with upload access is able to use this flaw in
order to upload SWF files leading to possible cross-site scripting.

Impact
=====
A remote attacker with upload access is able to craft a SWF file to
perform a cross-site scripting attack.

References
=========
https://access.redhat.com/security/cve/CVE-2014-9253
https://seclists.org/oss-sec/2014/q4/1050

https://github.com/dokuwiki/dokuwiki/commit/778ddf