CVE-2018-7302

Vulnerability

Tiki 17.1 fails to properly validate file content when uploading image files. An attacker can upload a file with a .png extension that in reality contains SVG markup, bypassing the MIME type and extension filters. The SVG payload, when rendered by the browser, executes arbitrary JavaScript in the context of the affected page. This issue affects Tiki version 17.1 as described in [1] and [2].

Exploitation

An attacker must have an authenticated account on a Tiki 17.1 instance. They create a text file containing SVG content with an onload event (e.g., `) and rename it with a .png` extension. The file is then uploaded through the CMS file upload functionality, which only checks the extension, not the actual content [2]. When a victim views the uploaded file (e.g., via a page or gallery), the SVG is rendered and the script executes.

Impact

Successful exploitation leads to cross-site scripting (XSS) in the victim's browser. The attacker can execute arbitrary JavaScript, steal session cookies, perform actions on behalf of the authenticated user, deface content, or redirect to malicious sites. The compromise occurs at the privilege level of the victim user [2].

Mitigation

Tiki has not released a specific patch for this version as of the publication date (2018-02-21). The CVE references do not indicate a fix [3]. Users should upgrade to a newer version of Tiki if available, and administrators can restrict file upload to only trusted users or disable SVG-based file types. There is no known workaround in the available references.