Search criteria
90 vulnerabilities by Tiki
CVE-2025-34111 (GCVE-0-2025-34111)
Vulnerability from cvelistv5 – Published: 2025-07-15 13:09 – Updated: 2025-11-28 16:26
VLAI?
Title
Tiki Wiki <= 15.1 ELFinder Unauthenticated File Upload RCE
Summary
An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tiki Software Community Association | Wiki CMS Groupware |
Affected:
* , ≤ 15.1
(semver)
|
Credits
Mehmet Ince
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-34111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-15T13:30:10.367640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-15T13:30:36.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"ELFinder 2.0 (third-party file manager)",
"/vendor_extra/elfinder/php/connector.minimal.php"
],
"product": "Wiki CMS Groupware",
"vendor": "Tiki Software Community Association",
"versions": [
{
"lessThanOrEqual": "15.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:12.9:*:*:*:*:*:*:*",
"versionEndIncluding": "15.1",
"versionStartIncluding": "*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mehmet Ince"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component\u0027s default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/."
}
],
"value": "An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component\u0027s default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T16:26:17.037Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/40091"
},
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/tiki-wiki-el-finder-unauthenticated-file-upload-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Tiki Wiki \u003c= 15.1 ELFinder Unauthenticated File Upload RCE",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-34111",
"datePublished": "2025-07-15T13:09:56.350Z",
"dateReserved": "2025-04-15T19:15:22.560Z",
"dateUpdated": "2025-11-28T16:26:17.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32461 (GCVE-0-2025-32461)
Vulnerability from cvelistv5 – Published: 2025-04-09 00:00 – Updated: 2025-11-03 19:53
VLAI?
Summary
wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.
Severity ?
9.9 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T19:24:35.575143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T19:25:12.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:53:30.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://seclists.org/fulldisclosure/2025/Jul/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tiki",
"vendor": "Tiki",
"versions": [
{
"lessThan": "21.12",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "24.8",
"status": "affected",
"version": "22",
"versionType": "custom"
},
{
"lessThan": "27.2",
"status": "affected",
"version": "25",
"versionType": "custom"
},
{
"lessThan": "28.3",
"status": "affected",
"version": "28",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*",
"versionEndExcluding": "21.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*",
"versionEndExcluding": "24.8",
"versionStartIncluding": "22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*",
"versionEndExcluding": "27.2",
"versionStartIncluding": "25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*",
"versionEndExcluding": "28.3",
"versionStartIncluding": "28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T01:37:03.152Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://tiki.org/article517"
},
{
"url": "https://tiki.org/article518"
},
{
"url": "https://gitlab.com/tikiwiki/tiki/-/commit/be8dc1aa220fbceb07a7a5dc36416243afccd358"
},
{
"url": "https://gitlab.com/tikiwiki/tiki/-/commit/801ed912390c2aa6caf12b7b953e200f5d4bc0b1"
},
{
"url": "https://gitlab.com/tikiwiki/tiki/-/commit/406bea4f6c379a23903ecfd55e538d90fd669ab0"
},
{
"url": "https://gitlab.com/tikiwiki/tiki/-/commit/9ffb4ab21bd86837370666ecd6afd868f3d7877a"
},
{
"url": "https://gitlab.com/tikiwiki/tiki/-/commit/f3f36c1ac702479209acfcaec5789d2fd1f996bc"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-32461",
"datePublished": "2025-04-09T00:00:00.000Z",
"dateReserved": "2025-04-09T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:53:30.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51506 (GCVE-0-2024-51506)
Vulnerability from cvelistv5 – Published: 2024-10-28 00:00 – Updated: 2024-10-29 18:40
VLAI?
Summary
Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.
Severity ?
4.8 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tiki",
"vendor": "tiki",
"versions": [
{
"lessThanOrEqual": "27.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51506",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T14:37:14.483574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T18:40:53.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki through 27.0 allows users who have certain permissions to insert a \"Create a Wiki Pages\" stored XSS payload in the description."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T22:37:55.395981",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.tiki.org/Disclose-a-Vulnerability"
},
{
"url": "https://github.com/r0ck3t1973/xss_payload/issues/8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-51506",
"datePublished": "2024-10-28T00:00:00",
"dateReserved": "2024-10-28T00:00:00",
"dateUpdated": "2024-10-29T18:40:53.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51509 (GCVE-0-2024-51509)
Vulnerability from cvelistv5 – Published: 2024-10-28 00:00 – Updated: 2024-10-29 18:38
VLAI?
Summary
Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.
Severity ?
4.8 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tiki",
"vendor": "tiki",
"versions": [
{
"lessThanOrEqual": "27.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51509",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T14:36:43.085125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T18:38:58.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki through 27.0 allows users who have certain permissions to insert a \"Modules\" (aka tiki-admin_modules.php) stored XSS payload in the Name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T22:37:32.166157",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.tiki.org/Disclose-a-Vulnerability"
},
{
"url": "https://github.com/r0ck3t1973/xss_payload/issues/10"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-51509",
"datePublished": "2024-10-28T00:00:00",
"dateReserved": "2024-10-28T00:00:00",
"dateUpdated": "2024-10-29T18:38:58.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51508 (GCVE-0-2024-51508)
Vulnerability from cvelistv5 – Published: 2024-10-28 00:00 – Updated: 2024-10-29 18:40
VLAI?
Summary
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.
Severity ?
4.8 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tiki",
"vendor": "tiki",
"versions": [
{
"lessThanOrEqual": "27.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51508",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T14:36:53.440940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T18:40:32.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki through 27.0 allows users who have certain permissions to insert a \"Create/Edit External Wiki\" stored XSS payload in the Index."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T22:37:40.609893",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.tiki.org/Disclose-a-Vulnerability"
},
{
"url": "https://github.com/r0ck3t1973/xss_payload/issues/9"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-51508",
"datePublished": "2024-10-28T00:00:00",
"dateReserved": "2024-10-28T00:00:00",
"dateUpdated": "2024-10-29T18:40:32.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51507 (GCVE-0-2024-51507)
Vulnerability from cvelistv5 – Published: 2024-10-28 00:00 – Updated: 2024-10-29 18:40
VLAI?
Summary
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.
Severity ?
4.8 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "tiki",
"vendor": "tiki",
"versions": [
{
"lessThanOrEqual": "27.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51507",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T14:37:07.826542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T18:40:43.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki through 27.0 allows users who have certain permissions to insert a \"Create/Edit External Wiki\" stored XSS payload in the Name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T22:37:47.194007",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.tiki.org/Disclose-a-Vulnerability"
},
{
"url": "https://github.com/r0ck3t1973/xss_payload/issues/9"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-51507",
"datePublished": "2024-10-28T00:00:00",
"dateReserved": "2024-10-28T00:00:00",
"dateUpdated": "2024-10-29T18:40:43.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22850 (GCVE-0-2023-22850)
Vulnerability from cvelistv5 – Published: 2023-01-14 00:00 – Updated: 2025-04-07 18:26
VLAI?
Summary
Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://tiki.org/articles"
},
{
"tags": [
"x_transferred"
],
"url": "https://karmainsecurity.com/KIS-2023-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22850",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T18:25:41.688594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:26:13.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-14T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://tiki.org/articles"
},
{
"url": "https://karmainsecurity.com/KIS-2023-03"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-22850",
"datePublished": "2023-01-14T00:00:00.000Z",
"dateReserved": "2023-01-08T00:00:00.000Z",
"dateUpdated": "2025-04-07T18:26:13.766Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22851 (GCVE-0-2023-22851)
Vulnerability from cvelistv5 – Published: 2023-01-14 00:00 – Updated: 2025-04-04 14:38
VLAI?
Summary
Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.
Severity ?
7.2 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:31.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://tiki.org/articles"
},
{
"tags": [
"x_transferred"
],
"url": "https://karmainsecurity.com/KIS-2023-04"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22851",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T14:37:32.825046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T14:38:40.961Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-14T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://tiki.org/articles"
},
{
"url": "https://karmainsecurity.com/KIS-2023-04"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-22851",
"datePublished": "2023-01-14T00:00:00.000Z",
"dateReserved": "2023-01-08T00:00:00.000Z",
"dateUpdated": "2025-04-04T14:38:40.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22852 (GCVE-0-2023-22852)
Vulnerability from cvelistv5 – Published: 2023-01-14 00:00 – Updated: 2025-04-07 18:21
VLAI?
Summary
Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://tiki.org/articles"
},
{
"tags": [
"x_transferred"
],
"url": "https://karmainsecurity.com/KIS-2023-01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22852",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T18:21:01.311796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:21:49.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-14T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://tiki.org/articles"
},
{
"url": "https://karmainsecurity.com/KIS-2023-01"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-22852",
"datePublished": "2023-01-14T00:00:00.000Z",
"dateReserved": "2023-01-08T00:00:00.000Z",
"dateUpdated": "2025-04-07T18:21:49.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22853 (GCVE-0-2023-22853)
Vulnerability from cvelistv5 – Published: 2023-01-14 00:00 – Updated: 2025-04-07 18:15
VLAI?
Summary
Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.875Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://tiki.org/articles"
},
{
"tags": [
"x_transferred"
],
"url": "https://karmainsecurity.com/KIS-2023-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-22853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T18:14:40.333209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:15:14.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-14T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://tiki.org/articles"
},
{
"url": "https://karmainsecurity.com/KIS-2023-02"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-22853",
"datePublished": "2023-01-14T00:00:00.000Z",
"dateReserved": "2023-01-08T00:00:00.000Z",
"dateUpdated": "2025-04-07T18:15:14.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36551 (GCVE-0-2021-36551)
Vulnerability from cvelistv5 – Published: 2021-10-28 19:11 – Updated: 2024-08-04 00:54
VLAI?
Summary
TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:54:51.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/r0ck3t1973/xss_payload/issues/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-28T19:11:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/r0ck3t1973/xss_payload/issues/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-36551",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/r0ck3t1973/xss_payload/issues/7",
"refsource": "MISC",
"url": "https://github.com/r0ck3t1973/xss_payload/issues/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-36551",
"datePublished": "2021-10-28T19:11:12",
"dateReserved": "2021-07-12T00:00:00",
"dateUpdated": "2024-08-04T00:54:51.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36550 (GCVE-0-2021-36550)
Vulnerability from cvelistv5 – Published: 2021-10-28 19:11 – Updated: 2024-08-04 00:54
VLAI?
Summary
TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:54:51.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/r0ck3t1973/xss_payload/issues/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-28T19:11:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/r0ck3t1973/xss_payload/issues/6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-36550",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/r0ck3t1973/xss_payload/issues/6",
"refsource": "MISC",
"url": "https://github.com/r0ck3t1973/xss_payload/issues/6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-36550",
"datePublished": "2021-10-28T19:11:11",
"dateReserved": "2021-07-12T00:00:00",
"dateUpdated": "2024-08-04T00:54:51.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29254 (GCVE-0-2020-29254)
Vulnerability from cvelistv5 – Published: 2020-12-11 15:11 – Updated: 2024-08-04 16:48
VLAI?
Summary
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:01.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://youtu.be/Uc3sRBitu50"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/S1lkys/CVE-2020-29254"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/S1lkys/CVE-2020-29254/blob/main/Tiki-Wiki%2021.2%20by%20Maximilian%20Barz.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-11T15:11:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://youtu.be/Uc3sRBitu50"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/S1lkys/CVE-2020-29254"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/S1lkys/CVE-2020-29254/blob/main/Tiki-Wiki%2021.2%20by%20Maximilian%20Barz.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29254",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://youtu.be/Uc3sRBitu50",
"refsource": "MISC",
"url": "https://youtu.be/Uc3sRBitu50"
},
{
"name": "https://github.com/S1lkys/CVE-2020-29254",
"refsource": "MISC",
"url": "https://github.com/S1lkys/CVE-2020-29254"
},
{
"name": "https://github.com/S1lkys/CVE-2020-29254/blob/main/Tiki-Wiki%2021.2%20by%20Maximilian%20Barz.pdf",
"refsource": "MISC",
"url": "https://github.com/S1lkys/CVE-2020-29254/blob/main/Tiki-Wiki%2021.2%20by%20Maximilian%20Barz.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29254",
"datePublished": "2020-12-11T15:11:10",
"dateReserved": "2020-11-27T00:00:00",
"dateUpdated": "2024-08-04T16:48:01.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15906 (GCVE-0-2020-15906)
Vulnerability from cvelistv5 – Published: 2020-10-22 17:26 – Updated: 2024-08-04 13:30
VLAI?
Summary
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:30:23.246Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-22T17:26:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15906",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html"
},
{
"name": "https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3",
"refsource": "MISC",
"url": "https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15906",
"datePublished": "2020-10-22T17:26:11",
"dateReserved": "2020-07-23T00:00:00",
"dateUpdated": "2024-08-04T13:30:23.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16131 (GCVE-0-2020-16131)
Vulnerability from cvelistv5 – Published: 2020-08-03 16:52 – Updated: 2024-08-04 13:37
VLAI?
Summary
Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:53.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitlab.com/tikiwiki/tiki/-/commit/d12d6ea7b025d3b3f81c8a71063fe9f89e0c4bf1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tiki.org/News"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki before 21.2 allows XSS because [\\s\\/\"\\\u0027] is not properly considered in lib/core/TikiFilter/PreventXss.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-03T16:52:42",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitlab.com/tikiwiki/tiki/-/commit/d12d6ea7b025d3b3f81c8a71063fe9f89e0c4bf1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tiki.org/News"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-16131",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Tiki before 21.2 allows XSS because [\\s\\/\"\\\u0027] is not properly considered in lib/core/TikiFilter/PreventXss.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gitlab.com/tikiwiki/tiki/-/commit/d12d6ea7b025d3b3f81c8a71063fe9f89e0c4bf1",
"refsource": "MISC",
"url": "https://gitlab.com/tikiwiki/tiki/-/commit/d12d6ea7b025d3b3f81c8a71063fe9f89e0c4bf1"
},
{
"name": "https://tiki.org/News",
"refsource": "MISC",
"url": "https://tiki.org/News"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-16131",
"datePublished": "2020-08-03T16:52:42",
"dateReserved": "2020-07-29T00:00:00",
"dateUpdated": "2024-08-04T13:37:53.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8966 (GCVE-0-2020-8966)
Vulnerability from cvelistv5 – Published: 2020-04-01 20:18 – Updated: 2024-09-16 16:23
VLAI?
Title
Cross Site Scripting (XSS) flaws found in Tiki-Wiki CMS software
Summary
There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page.
Severity ?
6.5 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tiki-Wiki Groupware | Tiki-Wiki CMS |
Affected:
through 20.0
|
Credits
Pablo Sebastián Arias Rodríguez, Rubén Barberà Pérez, Jorge Alberto Palma Reyes from S2Grupo at CSIRT-CV (Valencia CSIRT) with special thanks to the CSIRT-CV team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:19:19.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/cross-site-scripting-xss-flaws-found-tiki-wiki-cms-software"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://sourceforge.net/p/tikiwiki/code/75455"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Tiki-Wiki CMS",
"vendor": "Tiki-Wiki Groupware",
"versions": [
{
"status": "affected",
"version": "through 20.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Pablo Sebasti\u00e1n Arias Rodr\u00edguez, Rub\u00e9n Barber\u00e0 P\u00e9rez, Jorge Alberto Palma Reyes from S2Grupo at CSIRT-CV (Valencia CSIRT) with special thanks to the CSIRT-CV team"
}
],
"datePublic": "2020-03-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-01T20:18:19",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/cross-site-scripting-xss-flaws-found-tiki-wiki-cms-software"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://sourceforge.net/p/tikiwiki/code/75455"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 21.0"
}
],
"source": {
"advisory": "INCIBE-2020-0134",
"discovery": "EXTERNAL"
},
"title": "Cross Site Scripting (XSS) flaws found in Tiki-Wiki CMS software",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-coordination@incibe.es",
"DATE_PUBLIC": "2020-03-31T11:30:00.000Z",
"ID": "CVE-2020-8966",
"STATE": "PUBLIC",
"TITLE": "Cross Site Scripting (XSS) flaws found in Tiki-Wiki CMS software"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Tiki-Wiki CMS",
"version": {
"version_data": [
{
"version_value": "through 20.0"
}
]
}
}
]
},
"vendor_name": "Tiki-Wiki Groupware"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Pablo Sebasti\u00e1n Arias Rodr\u00edguez, Rub\u00e9n Barber\u00e0 P\u00e9rez, Jorge Alberto Palma Reyes from S2Grupo at CSIRT-CV (Valencia CSIRT) with special thanks to the CSIRT-CV team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.incibe-cert.es/en/early-warning/security-advisories/cross-site-scripting-xss-flaws-found-tiki-wiki-cms-software",
"refsource": "CONFIRM",
"url": "https://www.incibe-cert.es/en/early-warning/security-advisories/cross-site-scripting-xss-flaws-found-tiki-wiki-cms-software"
},
{
"name": "https://sourceforge.net/p/tikiwiki/code/75455",
"refsource": "CONFIRM",
"url": "https://sourceforge.net/p/tikiwiki/code/75455"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 21.0"
}
],
"source": {
"advisory": "INCIBE-2020-0134",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2020-8966",
"datePublished": "2020-04-01T20:18:19.303817Z",
"dateReserved": "2020-02-13T00:00:00",
"dateUpdated": "2024-09-16T16:23:22.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6022 (GCVE-0-2013-6022)
Vulnerability from cvelistv5 – Published: 2020-02-12 21:48 – Updated: 2024-08-06 17:29
VLAI?
Summary
A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code.
Severity ?
No CVSS data available.
CWE
- XSS
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:42.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/63463"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/450646"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Tiki",
"vendor": "Tiki",
"versions": [
{
"status": "affected",
"version": "2013"
}
]
}
],
"datePublic": "2013-10-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-12T21:48:43",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/63463"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.kb.cert.org/vuls/id/450646"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2013-6022",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Tiki",
"version": {
"version_data": [
{
"version_value": "2013"
}
]
}
}
]
},
"vendor_name": "Tiki"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.securityfocus.com/bid/63463",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/63463"
},
{
"name": "http://www.kb.cert.org/vuls/id/450646",
"refsource": "MISC",
"url": "http://www.kb.cert.org/vuls/id/450646"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2013-6022",
"datePublished": "2020-02-12T21:48:43",
"dateReserved": "2013-10-04T00:00:00",
"dateUpdated": "2024-08-06T17:29:42.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4558 (GCVE-0-2011-4558)
Vulnerability from cvelistv5 – Published: 2020-01-27 14:40 – Updated: 2024-08-07 00:09
VLAI?
Summary
Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:18.961Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/108111/Tiki-Wiki-CMS-Groupware-8.2-Code-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-12-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-27T14:40:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/108111/Tiki-Wiki-CMS-Groupware-8.2-Code-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4558",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/108111/Tiki-Wiki-CMS-Groupware-8.2-Code-Injection.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/108111/Tiki-Wiki-CMS-Groupware-8.2-Code-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4558",
"datePublished": "2020-01-27T14:40:58",
"dateReserved": "2011-11-28T00:00:00",
"dateUpdated": "2024-08-07T00:09:18.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4336 (GCVE-0-2011-4336)
Vulnerability from cvelistv5 – Published: 2020-01-15 13:48 – Updated: 2024-08-07 00:01
VLAI?
Summary
Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
Severity ?
No CVSS data available.
CWE
- XSS
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tiki | Wiki CMS Groupware |
Affected:
7.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:01:51.572Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2011/Nov/140"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/48806/info"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wiki CMS Groupware",
"vendor": "Tiki",
"versions": [
{
"status": "affected",
"version": "7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki Wiki CMS Groupware 7.0 has XSS via the GET \"ajax\" parameter to snarf_ajax.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T13:48:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/bugtraq/2011/Nov/140"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/48806/info"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-4336",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Wiki CMS Groupware",
"version": {
"version_data": [
{
"version_value": "7.0"
}
]
}
}
]
},
"vendor_name": "Tiki"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Tiki Wiki CMS Groupware 7.0 has XSS via the GET \"ajax\" parameter to snarf_ajax.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://seclists.org/bugtraq/2011/Nov/140",
"refsource": "MISC",
"url": "https://seclists.org/bugtraq/2011/Nov/140"
},
{
"name": "https://www.securityfocus.com/bid/48806/info",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/48806/info"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-4336",
"datePublished": "2020-01-15T13:48:01",
"dateReserved": "2011-11-04T00:00:00",
"dateUpdated": "2024-08-07T00:01:51.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4455 (GCVE-0-2011-4455)
Vulnerability from cvelistv5 – Published: 2019-11-20 18:57 – Updated: 2024-08-07 00:09
VLAI?
Summary
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:18.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-11-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-20T18:57:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4455",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4455",
"datePublished": "2019-11-20T18:57:57",
"dateReserved": "2011-11-15T00:00:00",
"dateUpdated": "2024-08-07T00:09:18.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4454 (GCVE-0-2011-4454)
Vulnerability from cvelistv5 – Published: 2019-11-20 18:57 – Updated: 2024-08-07 00:09
VLAI?
Summary
Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-remind_password.php, (2) tiki-index.php, (3) tiki-login_scr.php, or (4) tiki-index.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:18.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-11-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-remind_password.php, (2) tiki-index.php, (3) tiki-login_scr.php, or (4) tiki-index."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-20T18:57:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4454",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-remind_password.php, (2) tiki-index.php, (3) tiki-login_scr.php, or (4) tiki-index."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4454",
"datePublished": "2019-11-20T18:57:55",
"dateReserved": "2011-11-15T00:00:00",
"dateUpdated": "2024-08-07T00:09:18.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4239 (GCVE-0-2010-4239)
Vulnerability from cvelistv5 – Published: 2019-10-28 14:48 – Updated: 2024-08-07 03:34
VLAI?
Summary
Tiki Wiki CMS Groupware 5.2 has Local File Inclusion
Severity ?
No CVSS data available.
CWE
- UNKNOWN_TYPE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tiki Wiki | CMS Groupware |
Affected:
5.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:34:37.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4239"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2010-4239"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2010/11/22/9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMS Groupware",
"vendor": "Tiki Wiki",
"versions": [
{
"status": "affected",
"version": "5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki Wiki CMS Groupware 5.2 has Local File Inclusion"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "UNKNOWN_TYPE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-28T14:48:29",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4239"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2010-4239"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2010/11/22/9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-4239",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMS Groupware",
"version": {
"version_data": [
{
"version_value": "5.2"
}
]
}
}
]
},
"vendor_name": "Tiki Wiki"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Tiki Wiki CMS Groupware 5.2 has Local File Inclusion"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNKNOWN_TYPE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2010-4239",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4239"
},
{
"name": "https://access.redhat.com/security/cve/cve-2010-4239",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2010-4239"
},
{
"name": "https://www.openwall.com/lists/oss-security/2010/11/22/9",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2010/11/22/9"
},
{
"name": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt",
"refsource": "MISC",
"url": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-lfi.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-4239",
"datePublished": "2019-10-28T14:48:29",
"dateReserved": "2010-11-16T00:00:00",
"dateUpdated": "2024-08-07T03:34:37.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4240 (GCVE-0-2010-4240)
Vulnerability from cvelistv5 – Published: 2019-10-28 14:45 – Updated: 2024-08-07 03:34
VLAI?
Summary
Tiki Wiki CMS Groupware 5.2 has XSS
Severity ?
No CVSS data available.
CWE
- UNKNOWN_TYPE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tiki Wiki | CMS Groupware |
Affected:
5.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:34:37.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4240"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2010-4240"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2010/11/22/9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-xss.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMS Groupware",
"vendor": "Tiki Wiki",
"versions": [
{
"status": "affected",
"version": "5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki Wiki CMS Groupware 5.2 has XSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "UNKNOWN_TYPE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-28T14:45:55",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4240"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2010-4240"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2010/11/22/9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-xss.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-4240",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMS Groupware",
"version": {
"version_data": [
{
"version_value": "5.2"
}
]
}
}
]
},
"vendor_name": "Tiki Wiki"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Tiki Wiki CMS Groupware 5.2 has XSS"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNKNOWN_TYPE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2010-4240",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4240"
},
{
"name": "https://access.redhat.com/security/cve/cve-2010-4240",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2010-4240"
},
{
"name": "https://www.openwall.com/lists/oss-security/2010/11/22/9",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2010/11/22/9"
},
{
"name": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-xss.txt",
"refsource": "MISC",
"url": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-xss.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-4240",
"datePublished": "2019-10-28T14:45:55",
"dateReserved": "2010-11-16T00:00:00",
"dateUpdated": "2024-08-07T03:34:37.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4241 (GCVE-0-2010-4241)
Vulnerability from cvelistv5 – Published: 2019-10-28 14:43 – Updated: 2024-08-07 03:34
VLAI?
Summary
Tiki Wiki CMS Groupware 5.2 has CSRF
Severity ?
No CVSS data available.
CWE
- UNKNOWN_TYPE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tiki Wiki | CMS Groupware |
Affected:
5.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:34:37.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4241"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2010-4241"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-xsrf.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openwall.com/lists/oss-security/2010/11/22/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CMS Groupware",
"vendor": "Tiki Wiki",
"versions": [
{
"status": "affected",
"version": "5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki Wiki CMS Groupware 5.2 has CSRF"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "UNKNOWN_TYPE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-28T14:43:05",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4241"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2010-4241"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-xsrf.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openwall.com/lists/oss-security/2010/11/22/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-4241",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "CMS Groupware",
"version": {
"version_data": [
{
"version_value": "5.2"
}
]
}
}
]
},
"vendor_name": "Tiki Wiki"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Tiki Wiki CMS Groupware 5.2 has CSRF"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNKNOWN_TYPE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2010-4241",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4241"
},
{
"name": "https://access.redhat.com/security/cve/cve-2010-4241",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2010-4241"
},
{
"name": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-xsrf.txt",
"refsource": "MISC",
"url": "https://dl.packetstormsecurity.net/1009-exploits/tikiwiki52-xsrf.txt"
},
{
"name": "https://www.openwall.com/lists/oss-security/2010/11/22/9",
"refsource": "MISC",
"url": "https://www.openwall.com/lists/oss-security/2010/11/22/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-4241",
"datePublished": "2019-10-28T14:43:05",
"dateReserved": "2010-11-16T00:00:00",
"dateUpdated": "2024-08-07T03:34:37.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15314 (GCVE-0-2019-15314)
Vulnerability from cvelistv5 – Published: 2019-08-22 12:15 – Updated: 2024-08-05 00:42
VLAI?
Summary
tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:03.726Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pastebin.com/wEM7rnG7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display\u0026fileId= URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-22T12:15:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pastebin.com/wEM7rnG7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15314",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display\u0026fileId= URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pastebin.com/wEM7rnG7",
"refsource": "MISC",
"url": "https://pastebin.com/wEM7rnG7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15314",
"datePublished": "2019-08-22T12:15:31",
"dateReserved": "2019-08-21T00:00:00",
"dateUpdated": "2024-08-05T00:42:03.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20719 (GCVE-0-2018-20719)
Vulnerability from cvelistv5 – Published: 2019-01-15 16:00 – Updated: 2024-08-05 12:12
VLAI?
Summary
In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:12:28.320Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ripstech.com/2018/scan-verify-patch-security-issues-in-minutes/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-15T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ripstech.com/2018/scan-verify-patch-security-issues-in-minutes/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-20719",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.ripstech.com/2018/scan-verify-patch-security-issues-in-minutes/",
"refsource": "MISC",
"url": "https://blog.ripstech.com/2018/scan-verify-patch-security-issues-in-minutes/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-20719",
"datePublished": "2019-01-15T16:00:00",
"dateReserved": "2019-01-15T00:00:00",
"dateUpdated": "2024-08-05T12:12:28.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14849 (GCVE-0-2018-14849)
Vulnerability from cvelistv5 – Published: 2018-08-13 17:00 – Updated: 2024-08-05 09:38
VLAI?
Summary
Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:14.078Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20180802 Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/1"
},
{
"name": "[oss-security] 20180802 Re: Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://sourceforge.net/p/tikiwiki/code/66809"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-13T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20180802 Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/1"
},
{
"name": "[oss-security] 20180802 Re: Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://sourceforge.net/p/tikiwiki/code/66809"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14849",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20180802 Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/1"
},
{
"name": "[oss-security] 20180802 Re: Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/2"
},
{
"name": "https://sourceforge.net/p/tikiwiki/code/66809",
"refsource": "CONFIRM",
"url": "https://sourceforge.net/p/tikiwiki/code/66809"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14849",
"datePublished": "2018-08-13T17:00:00",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:14.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-14850 (GCVE-0-2018-14850)
Vulnerability from cvelistv5 – Published: 2018-08-13 17:00 – Updated: 2024-08-05 09:38
VLAI?
Summary
Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:38:14.040Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://sourceforge.net/p/tikiwiki/code/66990"
},
{
"name": "[oss-security] 20180802 Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/1"
},
{
"name": "[oss-security] 20180802 Re: Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-08-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-13T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://sourceforge.net/p/tikiwiki/code/66990"
},
{
"name": "[oss-security] 20180802 Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/1"
},
{
"name": "[oss-security] 20180802 Re: Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-14850",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sourceforge.net/p/tikiwiki/code/66990",
"refsource": "CONFIRM",
"url": "https://sourceforge.net/p/tikiwiki/code/66990"
},
{
"name": "[oss-security] 20180802 Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/1"
},
{
"name": "[oss-security] 20180802 Re: Stored XSS vulnerabilities in Tiki \u003c= 18.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/08/02/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-14850",
"datePublished": "2018-08-13T17:00:00",
"dateReserved": "2018-08-02T00:00:00",
"dateUpdated": "2024-08-05T09:38:14.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7290 (GCVE-0-2018-7290)
Vulnerability from cvelistv5 – Published: 2018-03-09 20:00 – Updated: 2024-08-05 06:24
VLAI?
Summary
Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:11.868Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://sourceforge.net/p/tikiwiki/code/65537"
},
{
"name": "[oss-security] 20180308 CVE-2018-7290: Stored XSS vulnerability in Tiki \u003c= 18",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/08/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-09T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://sourceforge.net/p/tikiwiki/code/65537"
},
{
"name": "[oss-security] 20180308 CVE-2018-7290: Stored XSS vulnerability in Tiki \u003c= 18",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/08/5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7290",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://sourceforge.net/p/tikiwiki/code/65537",
"refsource": "CONFIRM",
"url": "https://sourceforge.net/p/tikiwiki/code/65537"
},
{
"name": "[oss-security] 20180308 CVE-2018-7290: Stored XSS vulnerability in Tiki \u003c= 18",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/08/5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7290",
"datePublished": "2018-03-09T20:00:00",
"dateReserved": "2018-02-21T00:00:00",
"dateUpdated": "2024-08-05T06:24:11.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7302 (GCVE-0-2018-7302)
Vulnerability from cvelistv5 – Published: 2018-02-21 20:00 – Updated: 2024-09-16 17:24
VLAI?
Summary
Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:11.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-21T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7302",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html",
"refsource": "MISC",
"url": "https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7302",
"datePublished": "2018-02-21T20:00:00Z",
"dateReserved": "2018-02-21T00:00:00Z",
"dateUpdated": "2024-09-16T17:24:11.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}