CVE-2016-7964

Published: Oct 31, 2016Modified: May 6, 2026

8.6

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 4.0

Source: NVD

Description

The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks. This allows users to scan ports of internal networks via SSRF, such as 10.0.0.1/8, 172.16.0.0/12, and 192.168.0.0/16.

Affected (1)

Products: Dokuwiki: Dokuwiki

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dokuwiki Dokuwiki	Version 2016-06-26a

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

http://www.securityfocus.com/bid/94245

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://github.com/splitbrain/dokuwiki/issues/1708

Source: cve@mitre.org

PatchThird Party Advisory

http://www.securityfocus.com/bid/94245

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://github.com/splitbrain/dokuwiki/issues/1708

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.