This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests are now tracked at the
issue tracker at Github
FS#2918 XSS vulnerability in the plugin management section
The "url" parameter is not properly sanitized when submitting a POST request to download and install a new plugin, therefore allowing the user to perform a reflected XSS attack.
The vulnerability is confirmed in version rc2013-10-28 (Binky) but other previous versions may also be affected.
This had already been fixed here
Since the vulnerability is not exploitable without admin access we did not issue a hotfix release.
Please also not that the plugin manager will be replaced by the extension manager in the next release.