Mitre reports:
ikiwiki 3.20161219 does not properly check if a revision changes
the access permissions for a page on sites with the git and
recentchanges plugins and the CGI interface enabled, which allows
remote attackers to revert certain changes by leveraging permissions
to change the page before the revision was made.
When CGI::FormBuilder->field("foo") is called in list context
(and in particular in the arguments to a subroutine that takes named
arguments), it can return zero or more values for foo from the CGI
request, rather than the expected single value. This breaks the
usual Perl parsing convention for named arguments, similar to
CVE-2014-1572 in Bugzilla (which was caused by a similar API design
issue in CGI.pm).