XSS in Tiki Wiki CMS Groupware

ID SSV:20750
Type seebug
Reporter Root
Modified 2011-07-20T00:00:00


No description provided by source.

                                                Vendor:	info.tiki.org ( http://info.tiki.org )
Vulnerable Version:	7.0 and probably prior
Tested on:	7.0

High-Tech Bridge SA Security Research Lab has discovered vulnerability in Tiki Wiki CMS Groupware, which can be exploited to perform cross-site scripting attacks.

Input passed via the GET "ajax" parameter to snarf_ajax.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC code is available: