CVE-2011-2510
Description
Cross-site scripting (XSS) vulnerability in the RSS embedding feature in DokuWiki before 2011-05-25a Rincewind allows remote attackers to inject arbitrary web script or HTML via a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DokuWiki before 2011-05-25a Rincewind contains a stored XSS vulnerability in its RSS embedding feature, allowing arbitrary script injection via crafted links.
Vulnerability
The RSS embedding feature in DokuWiki versions prior to the 2011-05-25a Rincewind hotfix release does not properly escape user-provided links. An attacker can inject arbitrary web script or HTML through a malicious link embedded in an RSS feed. This affects at least Anteater and Rincewind releases, and likely older versions as well [3].
Exploitation
An attacker needs to craft a link containing malicious JavaScript and have it included in an RSS feed that is embedded in a DokuWiki page. The attacker does not require authentication if they can control the RSS feed content (e.g., by hosting a malicious feed or exploiting another vulnerability to inject a link). When a user views the page with the embedded RSS feed, the injected script executes in the context of the victim's session.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of a user viewing the affected DokuWiki page. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is a classic cross-site scripting (XSS) vulnerability [1][2].
Mitigation
The vulnerability is fixed in DokuWiki release 2011-05-25a Rincewind, released on June 14, 2011 [3]. Users should upgrade to this version or later. For those unable to upgrade, the hotfix announcement provides instructions to manually replace specific files (inc/parser/xhtml.php, inc/mail.php, inc/indexer.php, VERSION, doku.php) with patched versions from the GitHub repository [3]. No workaround is available other than applying the patch.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*range: <=2010-11-07a
- cpe:2.3:a:dokuwiki:dokuwiki:2005-07-01:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2005-07-13:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2005-09-19:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2005-09-22:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2006-03-05:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2006-03-09:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2006-11-06:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2007-06-26:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2008-05-05:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2009-02-14b:*:*:*:*:*:*:*
- cpe:2.3:a:dokuwiki:dokuwiki:2009-12-25c:*:*:*:*:*:*:*
- (no CPE)range: < 2011-05-25a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- bugs.debian.org/cgi-bin/bugreport.cginvdPatch
- www.freelists.org/post/dokuwiki/Hotfix-Release-20110525a-RincewindnvdPatch
- www.openwall.com/lists/oss-security/2011/06/28/5nvdPatch
- www.openwall.com/lists/oss-security/2011/06/29/13nvdPatch
- bugzilla.redhat.com/show_bug.cginvdPatch
- secunia.com/advisories/45009nvdVendor Advisory
- secunia.com/advisories/45190nvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2011-July/062380.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2011-July/062389.htmlnvd
- security.gentoo.org/glsa/glsa-201301-07.xmlnvd
- www.certa.ssi.gouv.fr/site/CERTA-2011-AVI-366/CERTA-2011-AVI-366.htmlnvd
- www.debian.org/security/2011/dsa-2320nvd
- www.dokuwiki.org/changesnvd
- www.securityfocus.com/bid/48364nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/68122nvd
News mentions
0No linked articles in our index yet.