Tiki: Security Vulnerabilities
Tiki Wiki CMS Groupware 5.2 has XSS
CVSS Score
6.1
EPSS Score
0.003
Published
2019-10-28
Tiki Wiki CMS Groupware 5.2 has CSRF
CVSS Score
8.8
EPSS Score
0.001
Published
2019-10-28
tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-08-22
In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-01-15
Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-08-13
Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image.
CVSS Score
5.4
EPSS Score
0.004
Published
2018-08-13
Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-03-09
Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-02-21
The Calendar component in Tiki 17.1 allows HTML injection.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-02-21
Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-02-21