Improper Access Control

CVE-2015-2172

Medium

6.5/10

Summary

DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API.

Access Complexity: LOW
AccessVector: NETWORK
Authentication: SINGLE
Integrity Impact: PARTIAL
Confidentiality Impact: PARTIAL
Availability Impact: PARTIAL

CWE-284 - Improper Access Control

Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.

References

Advisory Timeline

Published Mar 30, 2015

Improper Access Control

CVE-2015-2172

Summary

CWE-284 - Improper Access Control

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS