DokuWiki persistent Cross Site Scripting

From: Filippo Cavallarin <>
Subject: DokuWiki persistent Cross Site Scripting

Advisory ID: SGMA15-001
Title:      DokuWiki persistent Cross Site Scripting
Product: DokuWiki
Version: 2014-09-29c and probably prior
Vulnerability type:        Persistent XSS
Risk level:  Medium
Credit:      Filippo Cavallarin -
Vendor notification: 2015-03-18
Vendor fix: 2015-03-19
Public disclosure: 2015-03-23


DokuWiki version 2014-09-29c (and probably prior) is vulnerable to Persistent Cross Site Scriptng in the admin page.

An attacker may use this vulnerability to execute javascript in the context of a logged admin user. 
Since the vulnerable page has forms with the CSRF token (the same for all requests), a full backend compromise may be possible.

To successfully exploit this vulenrability an attacked must:
  1. have an account on the target site
      2. trick and admin to visit a link or to edit user account

Proof of concept:

1. change your account real name to:
   my name" autofocus onfocus="alert('code executed')

2. login as admin and try to edit the user profile from User Manager


Apply the latest hotfix from vendor's site


Filippo Cavallarin

Copyright © 1995-2019 All rights reserved.