http://bugzilla.opensuse.org/show_bug.cgi?id=1016606 Bug ID: 1016606 Summary: VUL-0: ikiwiki: authorization bypass when reverting changes Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2016/q4/717 ================================================= Reference: http://ikiwiki.info/bugs/rcs_revert_can_bypass_authorization_if_affected_fil... Vulnerable versions: < 3.20161219 Fixed versions: >= 3.20161219 Fix: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=9cada49ed6... ikiwiki is a static site generator with some dynamic features, used for wikis, blogs and other websites. intrigeri discovered that on sites with the git and recentchanges plugins and the CGI interface enabled, the revert links on the RecentChanges page could revert changes on a page the logged-in user cannot legitimately edit, if the change being reverted was made before the page was renamed from a location that the logged-in user *could* legitimately edit. Please allocate a CVE ID for this vulnerability. Thanks, S ================================================= Don't know about this report, because, due to https://software.opensuse.org/package/ikiwiki , this package is not in official (open-)SUSE repos... -- You are receiving this mail because: You are on the CC list for the bug.