CVE-2018-15474
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
07/09/2018
Last modified:
17/06/2026
Description
CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki.
Impact
Base Score 3.x
9.60
Severity 3.x
CRITICAL
Base Score 2.0
6.80
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:* | 2018-04-22a (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/splitbrain/dokuwiki/issues/2450
- https://seclists.org/fulldisclosure/2018/Sep/4
- https://www.patreon.com/posts/unfixed-security-21250652
- https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability/
- https://github.com/splitbrain/dokuwiki/issues/2450
- https://seclists.org/fulldisclosure/2018/Sep/4
- https://www.patreon.com/posts/unfixed-security-21250652
- https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injection-vulnerability/



