{
  "modified": "2025-08-09T19:01:28Z",
  "published": "2006-09-29T23:07:00Z",
  "id": "CVE-2006-5099",
  "details": "lib/exec/fetch.php in DokuWiki before 2006-03-09e, when conf[imconvert] is configured to use ImageMagick, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) w and (2) h parameters, which are not filtered when invoking convert.",
  "references": [
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/22192"
    },
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/22199"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.vupen.com/english/advisories/2006/3851"
    },
    {
      "type": "EVIDENCE",
      "url": "http://bugs.splitbrain.org/?do=details\u0026id=926"
    },
    {
      "type": "FIX",
      "url": "http://secunia.com/advisories/22192"
    },
    {
      "type": "FIX",
      "url": "http://secunia.com/advisories/22199"
    },
    {
      "type": "FIX",
      "url": "http://security.gentoo.org/glsa/glsa-200609-20.xml"
    }
  ]
}