Multiple vulnerabilities in PukiWiki


PukiWiki provided by PukiWiki Development Team contains multiple vulnerabilities listed below.
* Path Traversal (CWE-22) - CVE-2022-34486
* Reflected Cross-site Scripting (CWE-79) - CVE-2022-27637

Harold Kim reported these vulnerabilities to the developer and coordinated. After coordination was completed, this case was reported to JPCERT/CC and JPCERT/CC coordinated with the developer for the publication.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.7 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-34486

CVSS V3 Severity:
"Base Metrics:6.1 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact:
The above CVSS base scores have been assigned for CVE-2022-27637
Affected Products

PukiWiki Developers Team.
  • PukiWiki versions 1.4.5 to 1.5.3 - CVE-2022-34486
  • PukiWiki versions 1.5.1 to 1.5.3 - CVE-2022-27637


* An administrator of the product may execute a malicious script - CVE-2022-34486
* An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2022-27637

[Update the Software]
Update the Software to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been fixed in version 1.5.4.
Vendor Information

PukiWiki Developers Team.
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [Other]
  2. Cross-site Scripting(CWE-79) [Other]
CVE (What is CVE?)

  1. CVE-2022-34486
  2. CVE-2022-27637

  1. JVN : JVNVU#96002401
Revision History

  • [2022/08/24]
      Web page was published