Summary
| Detail | |||
|---|---|---|---|
| Vendor | Tiki | First view | 2010-03-27 |
| Product | Tikiwiki Cms/Groupware | Last view | 2012-09-30 |
| Version | 3.2 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:tiki:tikiwiki_cms/groupware | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 4.3 | 2012-09-30 | CVE-2011-4551 | Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters. |
| 5 | 2012-07-12 | CVE-2012-3996 | TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a direct request to (1) admin/include_calendar.php, (2) tiki-rss_error.php, or (3) tiki-watershed_service.php. |
| 7.5 | 2012-07-12 | CVE-2012-0911 | TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function. |
| 7.5 | 2010-03-27 | CVE-2010-1136 | The Standard Remember method in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to bypass access restrictions related to "persistent login," probably due to the generation of predictable cookies based on the IP address and User agent in userslib.php. |
| 7.5 | 2010-03-27 | CVE-2010-1134 | SQL injection vulnerability in the _find function in searchlib.php in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to execute arbitrary SQL commands via the $searchDate variable. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 20% (1) | CWE-264 | Permissions, Privileges, and Access Controls |
| 20% (1) | CWE-200 | Information Exposure |
| 20% (1) | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
| 20% (1) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
| 20% (1) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 77966 | Tiki Wiki CMS tiki-cookie-jar.php Multiple Parameter XSS |
| 63321 | TikiWiki CMS/Groupware searchlib.php $searchDate Parameter SQL Injection |
| 62801 | TikiWiki CMS/Groupware Persistent Login Standard Remember Method Unspecified ... |
ExploitDB Exploits
| id | Description |
|---|---|
| 19573 | Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution |
OpenVAS Exploits
| id | Description |
|---|---|
| 2012-07-09 | Name : Tiki Wiki CMS Groupware 'unserialize()' Multiple PHP Code Execution Vulnerabi... File : nvt/gb_tiki_54298.nasl |
| 2011-12-21 | Name : TikiWiki 'show_errors' Parameter Stored Cross-Site Scripting Vulnerability File : nvt/secpod_tikiwiki_show_errors_stored_xss_vuln.nasl |
| 2010-03-15 | Name : TikiWiki Versions Prior to 4.2 Multiple Unspecified Vulnerabilities File : nvt/gb_tikiwiki_38608.nasl |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-11-16 | Tiki Wiki 8.3 unserialize PHP remote code execution attempt RuleID : 31569 - Type : SERVER-WEBAPP - Revision : 3 |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2012-08-30 | Name: The remote web server hosts an application that allows arbitrary code execution. File: tikiwiki_unserialize_code_execution.nasl - Type: ACT_DESTRUCTIVE_ATTACK |
