Lucene search

K
gentooGentoo FoundationGLSA-200507-06
HistoryJul 06, 2005 - 12:00 a.m.

TikiWiki: Arbitrary command execution through XML-RPC

2005-07-0600:00:00
Gentoo Foundation
security.gentoo.org
25

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.959 High

EPSS

Percentile

99.4%

Background

TikiWiki is a web-based groupware and content management system (CMS), using PHP, ADOdb and Smarty. TikiWiki includes vulnerable PHP XML-RPC code.

Description

TikiWiki is vulnerable to arbitrary command execution as described in GLSA 200507-01.

Impact

A remote attacker could exploit this vulnerability to execute arbitrary PHP code by sending specially crafted XML data.

Workaround

There is no known workaround at this time.

Resolution

All TikiWiki users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.8.5-r1"
OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-apps/tikiwiki< 1.8.5-r1UNKNOWN

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.959 High

EPSS

Percentile

99.4%