This CPE summary could be partial or incomplete. Please contact us for a detailed listing.


Vendor Tiki First view 2010-03-27
Product Tikiwiki Cms/Groupware Last view 2012-09-30
Version 3.2 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
CPE Product cpe:2.3:a:tiki:tikiwiki_cms/groupware

Activity : Overall

Related : CVE

  Date Alert Description
4.3 2012-09-30 CVE-2011-4551

Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters.

5 2012-07-12 CVE-2012-3996

TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a direct request to (1) admin/include_calendar.php, (2) tiki-rss_error.php, or (3) tiki-watershed_service.php.

7.5 2012-07-12 CVE-2012-0911

TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function.

7.5 2010-03-27 CVE-2010-1136

The Standard Remember method in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to bypass access restrictions related to "persistent login," probably due to the generation of predictable cookies based on the IP address and User agent in userslib.php.

7.5 2010-03-27 CVE-2010-1134

SQL injection vulnerability in the _find function in searchlib.php in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to execute arbitrary SQL commands via the $searchDate variable.

CWE : Common Weakness Enumeration

20% (1) CWE-264 Permissions, Privileges, and Access Controls
20% (1) CWE-200 Information Exposure
20% (1) CWE-94 Failure to Control Generation of Code ('Code Injection')
20% (1) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
20% (1) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')

Open Source Vulnerability Database (OSVDB)

id Description
77966 Tiki Wiki CMS tiki-cookie-jar.php Multiple Parameter XSS
63321 TikiWiki CMS/Groupware searchlib.php $searchDate Parameter SQL Injection
62801 TikiWiki CMS/Groupware Persistent Login Standard Remember Method Unspecified ...

ExploitDB Exploits

id Description
19573 Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution

OpenVAS Exploits

id Description
2012-07-09 Name : Tiki Wiki CMS Groupware 'unserialize()' Multiple PHP Code Execution Vulnerabi...
File : nvt/gb_tiki_54298.nasl
2011-12-21 Name : TikiWiki 'show_errors' Parameter Stored Cross-Site Scripting Vulnerability
File : nvt/secpod_tikiwiki_show_errors_stored_xss_vuln.nasl
2010-03-15 Name : TikiWiki Versions Prior to 4.2 Multiple Unspecified Vulnerabilities
File : nvt/gb_tikiwiki_38608.nasl

Snort® IPS/IDS

Date Description
2014-11-16 Tiki Wiki 8.3 unserialize PHP remote code execution attempt
RuleID : 31569 - Type : SERVER-WEBAPP - Revision : 3

Nessus® Vulnerability Scanner

id Description
2012-08-30 Name: The remote web server hosts an application that allows arbitrary code execution.
File: tikiwiki_unserialize_code_execution.nasl - Type: ACT_DESTRUCTIVE_ATTACK