Tiki » Tikiwiki Cms/groupware » 1.9.4 : Security Vulnerabilities, CVEs, CVSS score >= 5
There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page.
Max CVSS
6.5
EPSS Score
0.08%
Published
2020-04-01
Updated
2020-04-03
In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter.
Max CVSS
8.8
EPSS Score
0.09%
Published
2019-01-15
Updated
2019-01-18
An XSS vulnerability (via an SVG image) in Tiki before 18 allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/filegals/filegallib.php.
Max CVSS
5.4
EPSS Score
0.05%
Published
2018-02-16
Updated
2018-03-13
tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attackers steal user's cookie.
Max CVSS
6.1
EPSS Score
0.08%
Published
2018-02-06
Updated
2018-03-13
A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code.
Max CVSS
6.1
EPSS Score
0.12%
Published
2020-02-12
Updated
2020-02-18
TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a direct request to (1) admin/include_calendar.php, (2) tiki-rss_error.php, or (3) tiki-watershed_service.php.
Max CVSS
5.0
EPSS Score
0.42%
Published
2012-07-12
Updated
2012-10-24
Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
Max CVSS
6.1
EPSS Score
0.26%
Published
2020-01-15
Updated
2020-01-21
Unspecified vulnerability in TikiWiki CMS/Groupware before 2.0 allows attackers to obtain "path and PHP configuration" via unknown vectors.
Max CVSS
5.0
EPSS Score
0.19%
Published
2008-08-13
Updated
2017-08-08
Multiple unspecified vulnerabilities in TikiWiki CMS/Groupware before 2.0 have unknown impact and attack vectors.
Max CVSS
10.0
EPSS Score
0.24%
Published
2008-08-13
Updated
2017-08-08
Multiple unspecified vulnerabilities in TikiWiki before 1.9.9 have unknown impact and attack vectors involving (1) tiki-edit_css.php, (2) tiki-list_games.php, or (3) tiki-g-admin_shared_source.php.
Max CVSS
10.0
EPSS Score
0.79%
Published
2007-12-27
Updated
2012-10-24
Directory traversal vulnerability in tiki-listmovies.php in TikiWiki before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and modified filename in the movie parameter.
Max CVSS
5.0
EPSS Score
1.81%
Published
2007-12-27
Updated
2018-10-15
Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded "..%2F" sequences in the imp_language parameter to tiki-imexport_languages.php.
Max CVSS
7.5
EPSS Score
1.41%
Published
2007-10-26
Updated
2012-10-24
Incomplete blacklist vulnerability in tiki-graph_formula.php in TikiWiki before 1.9.8.2 allows remote attackers to execute arbitrary code by using variable functions and variable variables to write variables whose names match the whitelist, a different vulnerability than CVE-2007-5423.
Max CVSS
7.5
EPSS Score
6.24%
Published
2007-10-26
Updated
2012-10-24
tiki-register.php in TikiWiki before 1.9.7 allows remote attackers to trigger "notification-spam" via certain vectors such as a comma-separated list of addresses in the email field, related to lack of "a minimal check on email."
Max CVSS
7.5
EPSS Score
1.01%
Published
2006-11-29
Updated
2012-10-24
Multiple SQL injection vulnerabilities in tiki-g-admin_processes.php in Tikiwiki 1.9.4 allow remote attackers to execute arbitrary SQL commands via the (1) pid and (2) where parameters.
Max CVSS
7.5
EPSS Score
0.67%
Published
2006-09-13
Updated
2018-10-17
CVE-2006-4602
Public exploit
Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory.
Max CVSS
7.5
EPSS Score
96.41%
Published
2006-09-07
Updated
2017-10-19
16 vulnerabilities found