Tiki
by Tiki
Source repositories
CVEs (54)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-32461 | Cri | 0.57 | 9.9 | 0.01 | Apr 9, 2025 | wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3. | ||
| CVE-2018-7304 | Hig | 0.57 | 8.8 | 0.01 | Feb 21, 2018 | Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation. | ||
| CVE-2017-14924 | Hig | 0.52 | 8.0 | 0.01 | Sep 30, 2017 | Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element,… | ||
| CVE-2024-46879 | Med | 0.35 | 5.4 | 0.00 | Mar 23, 2026 | A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive… | ||
| CVE-2024-46878 | Med | 0.35 | 5.4 | 0.00 | Mar 23, 2026 | A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or… | ||
| CVE-2007-5423 | 0.09 | — | 0.77 | Oct 12, 2007 | tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function. | |||
| CVE-2020-15906 | 0.07 | — | 0.27 | Oct 22, 2020 | tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. | |||
| CVE-2006-5702 | 0.07 | — | 0.53 | Nov 4, 2006 | Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6)… | |||
| CVE-2006-4602 | 0.06 | — | 0.43 | Sep 7, 2006 | Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory. | |||
| CVE-2007-6528 | 0.04 | — | 0.09 | Dec 27, 2007 | Directory traversal vulnerability in tiki-listmovies.php in TikiWiki before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and modified filename in the movie parameter. | |||
| CVE-2004-1926 | 0.04 | — | 0.07 | Apr 11, 2004 | Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a… | |||
| CVE-2009-1204 | 0.03 | — | 0.05 | Apr 1, 2009 | Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4)… | |||
| CVE-2007-5684 | 0.03 | — | 0.03 | Oct 26, 2007 | Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded "..%2F" sequences in… | |||
| CVE-2006-5703 | 0.03 | — | 0.02 | Nov 4, 2006 | Cross-site scripting (XSS) vulnerability in tiki-featured_link.php in Tikiwiki 1.9.5 allows remote attackers to inject arbitrary web script or HTML via a url parameter that evades filtering, as demonstrated by a parameter value containing malformed, nested SCRIPT elements. | |||
| CVE-2004-1924 | 0.03 | — | 0.02 | Apr 11, 2004 | Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php,… | |||
| CVE-2024-51507 | 0.00 | — | 0.00 | Oct 28, 2024 | Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name. | |||
| CVE-2024-51509 | 0.00 | — | 0.00 | Oct 28, 2024 | Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name. | |||
| CVE-2024-51508 | 0.00 | — | 0.00 | Oct 28, 2024 | Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index. | |||
| CVE-2024-51506 | 0.00 | — | 0.00 | Oct 28, 2024 | Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description. | |||
| CVE-2023-22852 | 0.00 | — | 0.00 | Jan 14, 2023 | Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. |
- risk 0.57cvss 9.9epss 0.01
wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.
- risk 0.57cvss 8.8epss 0.01
Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation.
- risk 0.52cvss 8.0epss 0.01
Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element,…
- risk 0.35cvss 5.4epss 0.00
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive…
- risk 0.35cvss 5.4epss 0.00
A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or…
- CVE-2007-5423Oct 12, 2007risk 0.09cvss —epss 0.77
tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function.
- CVE-2020-15906Oct 22, 2020risk 0.07cvss —epss 0.27
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
- CVE-2006-5702Nov 4, 2006risk 0.07cvss —epss 0.53
Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6)…
- CVE-2006-4602Sep 7, 2006risk 0.06cvss —epss 0.43
Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory.
- CVE-2007-6528Dec 27, 2007risk 0.04cvss —epss 0.09
Directory traversal vulnerability in tiki-listmovies.php in TikiWiki before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and modified filename in the movie parameter.
- CVE-2004-1926Apr 11, 2004risk 0.04cvss —epss 0.07
Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a…
- CVE-2009-1204Apr 1, 2009risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4)…
- CVE-2007-5684Oct 26, 2007risk 0.03cvss —epss 0.03
Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded "..%2F" sequences in…
- CVE-2006-5703Nov 4, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in tiki-featured_link.php in Tikiwiki 1.9.5 allows remote attackers to inject arbitrary web script or HTML via a url parameter that evades filtering, as demonstrated by a parameter value containing malformed, nested SCRIPT elements.
- CVE-2004-1924Apr 11, 2004risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php,…
- CVE-2024-51507Oct 28, 2024risk 0.00cvss —epss 0.00
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.
- CVE-2024-51509Oct 28, 2024risk 0.00cvss —epss 0.00
Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.
- CVE-2024-51508Oct 28, 2024risk 0.00cvss —epss 0.00
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.
- CVE-2024-51506Oct 28, 2024risk 0.00cvss —epss 0.00
Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.
- CVE-2023-22852Jan 14, 2023risk 0.00cvss —epss 0.00
Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.
Page 1 of 3