Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki


Reported on

Dec 8th 2021


Another low-severity CSRF (last one, I think.) identified on styling page

Proof of Concept

Requests to the following endpoint (used by admins to edit template styling settings) do not contain sectok CSRF token

POST /doku.php?id=start&do=admin&page=styling


This vulnerability is capable of tricking admin users to deface their own website


We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. a year ago
We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back a year ago
Andreas Gohr validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr marked this as fixed with commit 54bcc3 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
admin.php#L58L114 has been validated
to join this conversation