CVE-2023-22851 : Tiki before 24.2 allows lib/importer/tikiimporter_blog

Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.

Published 2023-01-14 02:15:12

Updated 2023-01-25 19:05:12

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2023-22851

Tiki » Tiki
Versions before (<) 24.2
cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.27%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 48 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	1.2	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: nvd@nist.gov (Primary)

https://karmainsecurity.com/KIS-2023-04

Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability | Karma(In)Security
Exploit;Third Party Advisory
https://tiki.org/articles

View Articles
Vendor Advisory

CVEs referencing this url

Jump to