CVE-2016-10026 — ikiwiki - security update

Description

ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made.

How to fix CVE-2016-10026

To remediate CVE-2016-10026, upgrade the affected package to a fixed version below.

—upgrade to 3.20161219 or later
—upgrade to 3.20120629.2+deb7u2 or later
—upgrade to 3.20141016.4 or later

Is CVE-2016-10026 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.20161219
from 0, < 3.20120629.2+deb7u2
from 0, < 3.20141016.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-10026