Skip to main content

Tiki

12 CVEs product

Monthly

CVE-2024-51509 MEDIUM This Month

Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS Tiki
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-51508 MEDIUM This Month

Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Tiki
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-51507 MEDIUM This Month

Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Tiki
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-51506 MEDIUM This Month

Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Tiki
NVD GitHub
CVSS 3.1
4.8
EPSS
0.2%
CVE-2023-22851 HIGH POC This Week

Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Deserialization Tiki
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2023-22850 HIGH POC This Week

Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Tiki
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-22853 HIGH This Week

Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP Tiki
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-22852 MEDIUM This Month

Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP CSRF Tiki
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2020-15906 CRITICAL POC PATCH THREAT Act Now

tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure PHP Tiki
NVD
CVSS 3.1
9.8
EPSS
27.4%
CVE-2020-16131 MEDIUM This Month

Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Tiki
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2018-7304 HIGH POC This Week

Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Tiki
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2018-7302 PHP MEDIUM POC This Month

Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Tiki
NVD
CVSS 3.0
5.4
EPSS
0.6%
EPSS 0% CVSS 4.8
MEDIUM This Month

Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS Tiki
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Tiki
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Tiki
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Tiki
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Deserialization +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Deserialization Tiki
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP CSRF Tiki
NVD
EPSS 27% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure PHP Tiki
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS PHP Tiki
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Tiki
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Tiki
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy