MEDIUM🇵🇱 Wersja polska

CVE-2019-25338

CVSS 6.9v4.0pub. 2026-02-12upd. 2026-03-02

DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by analyzing the server's error response messages.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Dokuwiki

    APP
    Dokuwiki
    2018-04-22b
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2018-15474CRITICAL9.6ten sam produkt

CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWi...

CVE-2017-18123HIGH8.6ten sam produkt

The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, w...

CVE-2016-7964HIGH8.6ten sam produkt

The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when...

CVE-2010-0288HIGH7.5ten sam produkt

A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki befo...

CVE-2009-1960HIGH9.3ten sam produkt

inc/init.php in DokuWiki 2009-02-14, rc2009-02-06, and rc2009-01-30, when register_globals is enabled, allows ...