CVE-2016-7965

medium

Published 2016-10-31 · Modified 2026-05-06

CVSS v3

6.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v2

4.3

VIR risk

6.5

Description

DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-7965

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/splitbrain/dokuwiki/issues/1709

OS impact

OS	Version	Status	Fixed in
debian	bookworm	affected
debian	bullseye	affected
debian	forky	fixed	`2024-02-06b+dfsg-7`
debian	sid	fixed	`2024-02-06b+dfsg-7`
debian	trixie	fixed	`2024-02-06b+dfsg-7`

Application impact

Vendor	Product	Versions	Fixed
dokuwiki	dokuwiki	`{"endIncluding":"2016-06-26a"}`

References

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.