Vulnerability Description
ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ikiwiki | Ikiwiki | 3.20161219 |
Related Weaknesses (CWE)
References
- http://ikiwiki.info/bugs/rcs_revert_can_bypass_authorization_if_affected_files_wIssue TrackingVendor Advisory
- http://www.debian.org/security/2017/dsa-3760
- http://www.openwall.com/lists/oss-security/2016/12/21/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2016/12/29/3Mailing ListThird Party Advisory
- https://ikiwiki.info/security/#index46h2Vendor Advisory
- http://ikiwiki.info/bugs/rcs_revert_can_bypass_authorization_if_affected_files_wIssue TrackingVendor Advisory
- http://www.debian.org/security/2017/dsa-3760
- http://www.openwall.com/lists/oss-security/2016/12/21/3Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2016/12/29/3Mailing ListThird Party Advisory
- https://ikiwiki.info/security/#index46h2Vendor Advisory
FAQ
What is CVE-2016-10026?
CVE-2016-10026 is a vulnerability with a CVSS score of 7.5 (HIGH). ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote at...
How severe is CVE-2016-10026?
CVE-2016-10026 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10026?
Check the references section above for vendor advisories and patch information. Affected products include: Ikiwiki Ikiwiki.