CVE-2016-7965
Publication date 31 October 2016
Last updated 25 August 2025
Ubuntu priority
Description
DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| dokuwiki | ||
| 18.04 LTS bionic | Ignored | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
Notes
ebarretto
Setting to ignored as upstream won't fix it. Maintainer note: Autodetecting the host is an important feature for setting up wiki farms and it is a major convenience factor for our users (on installation, on moving the wiki between servers and accessing it from different network locations), so I'm leaning towards a WONTFIX here.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |