Vendor CVEs
Tiki
All CVEs
89 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-0911 | Cri | 0.72 | 9.8 | 0.63 | Jul 12, 2012 | TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b)… | ||
| CVE-2025-34113 | Hig | 0.65 | — | 0.02 | Jul 15, 2025 | An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an… | ||
| CVE-2025-32461 | Cri | 0.57 | 9.9 | 0.01 | Apr 9, 2025 | wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3. | ||
| CVE-2018-7304 | Hig | 0.57 | 8.8 | 0.01 | Feb 21, 2018 | Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation. | ||
| CVE-2017-14925 | Hig | 0.52 | 8.0 | 0.01 | Sep 30, 2017 | Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related… | ||
| CVE-2017-14924 | Hig | 0.52 | 8.0 | 0.01 | Sep 30, 2017 | Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element,… | ||
| CVE-2016-10143 | Hig | 0.49 | 7.5 | 0.02 | Jan 20, 2017 | A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to read arbitrary files on a targeted system via a crafted pathname in a banner URL field. | ||
| CVE-2017-9145 | Med | 0.40 | 6.1 | 0.01 | Jun 26, 2017 | TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not properly validate the imgsize or lang parameter to prevent XSS. | ||
| CVE-2017-9305 | Med | 0.40 | 6.1 | 0.01 | May 31, 2017 | lib/core/TikiFilter/PreventXss.php in Tiki Wiki CMS Groupware 16.2 allows remote attackers to bypass the XSS filter via padded zero characters, as demonstrated by an attack on tiki-batch_send_newsletter.php. | ||
| CVE-2016-9889 | Med | 0.40 | 6.1 | 0.01 | Dec 23, 2016 | Some forms with the parameter geo_zoomlevel_to_found_location in Tiki Wiki CMS 12.x before 12.10 LTS, 15.x before 15.3 LTS, and 16.x before 16.1 don't have the input sanitized, related to tiki-setup.php and article_image.php. The impact is XSS. | ||
| CVE-2024-46879 | Med | 0.35 | 5.4 | 0.00 | Mar 23, 2026 | A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive… | ||
| CVE-2024-46878 | Med | 0.35 | 5.4 | 0.00 | Mar 23, 2026 | A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or… | ||
| CVE-2018-14850 | Med | 0.35 | 5.4 | 0.01 | Aug 13, 2018 | Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image. | ||
| CVE-2018-14849 | Med | 0.35 | 5.4 | 0.01 | Aug 13, 2018 | Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php. | ||
| CVE-2018-7290 | Med | 0.35 | 5.4 | 0.01 | Mar 9, 2018 | Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1. | ||
| CVE-2018-7303 | Med | 0.35 | 5.4 | 0.01 | Feb 21, 2018 | The Calendar component in Tiki 17.1 allows HTML injection. | ||
| CVE-2018-7188 | Med | 0.35 | 5.4 | 0.01 | Feb 16, 2018 | An XSS vulnerability (via an SVG image) in Tiki before 18 allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/filegals/filegallib.php. | ||
| CVE-2025-34111 | 0.10 | — | 0.02 | Jul 15, 2025 | An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of… | |||
| CVE-2007-5423 | 0.09 | — | 0.77 | Oct 12, 2007 | tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function. | |||
| CVE-2005-1921 | 0.09 | — | 0.79 | Jul 5, 2005 | Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7)… | |||
| CVE-2020-15906 | 0.07 | — | 0.27 | Oct 22, 2020 | tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. | |||
| CVE-2006-5702 | 0.07 | — | 0.53 | Nov 4, 2006 | Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6)… | |||
| CVE-2006-4602 | 0.06 | — | 0.43 | Sep 7, 2006 | Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory. | |||
| CVE-2010-4239 | 0.04 | — | 0.13 | Oct 28, 2019 | Tiki Wiki CMS Groupware 5.2 has Local File Inclusion | |||
| CVE-2012-5321 | 0.04 | — | 0.08 | Oct 8, 2012 | tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection." | |||
| CVE-2007-6528 | 0.04 | — | 0.09 | Dec 27, 2007 | Directory traversal vulnerability in tiki-listmovies.php in TikiWiki before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and modified filename in the movie parameter. | |||
| CVE-2004-1926 | 0.04 | — | 0.07 | Apr 11, 2004 | Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a… | |||
| CVE-2011-4336 | 0.03 | — | 0.08 | Jan 15, 2020 | Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php. | |||
| CVE-2011-4551 | 0.03 | — | 0.02 | Oct 1, 2012 | Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters. | |||
| CVE-2012-3996 | 0.03 | — | 0.05 | Jul 12, 2012 | TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a direct request to (1) admin/include_calendar.php, (2) tiki-rss_error.php, or (3) tiki-watershed_service.php. | |||
| CVE-2009-1204 | 0.03 | — | 0.05 | Apr 1, 2009 | Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4)… | |||
| CVE-2007-5684 | 0.03 | — | 0.03 | Oct 26, 2007 | Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded "..%2F" sequences in… | |||
| CVE-2006-5703 | 0.03 | — | 0.02 | Nov 4, 2006 | Cross-site scripting (XSS) vulnerability in tiki-featured_link.php in Tikiwiki 1.9.5 allows remote attackers to inject arbitrary web script or HTML via a url parameter that evades filtering, as demonstrated by a parameter value containing malformed, nested SCRIPT elements. | |||
| CVE-2006-2635 | 0.03 | — | 0.04 | May 30, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka Tiki CMS/Groupware) 1.9.x allow remote attackers to inject arbitrary web script or HTML via malformed nested HTML tags such as "<script>" in (1) offset and (2) days parameters in (a)… | |||
| CVE-2004-1928 | 0.03 | — | 0.03 | Apr 12, 2004 | The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL. | |||
| CVE-2004-1925 | 0.03 | — | 0.01 | Apr 12, 2004 | Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4)… | |||
| CVE-2004-1927 | 0.03 | — | 0.04 | Apr 11, 2004 | Directory traversal vulnerability in the map feature (tiki-map.phtml) in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to determine the existence of arbitrary files via .. (dot dot) sequences in the mapfile parameter. | |||
| CVE-2004-1924 | 0.03 | — | 0.02 | Apr 11, 2004 | Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php,… | |||
| CVE-2004-1923 | 0.03 | — | 0.03 | Apr 11, 2004 | Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to gain sensitive information via a direct request to (1) banner_click.php, (2) categorize.php, (3) tiki-admin_include_directory.php, (4) tiki-directory_search.php, which reveal the web server path in an… | |||
| CVE-2024-51507 | 0.00 | — | 0.00 | Oct 28, 2024 | Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name. | |||
| CVE-2024-51509 | 0.00 | — | 0.00 | Oct 28, 2024 | Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name. | |||
| CVE-2024-51506 | 0.00 | — | 0.00 | Oct 28, 2024 | Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description. | |||
| CVE-2024-51508 | 0.00 | — | 0.00 | Oct 28, 2024 | Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index. | |||
| CVE-2023-22852 | 0.00 | — | 0.00 | Jan 14, 2023 | Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. | |||
| CVE-2023-22851 | 0.00 | — | 0.01 | Jan 14, 2023 | Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. | |||
| CVE-2023-22850 | 0.00 | — | 0.01 | Jan 14, 2023 | Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. | |||
| CVE-2023-22853 | 0.00 | — | 0.01 | Jan 14, 2023 | Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval. | |||
| CVE-2021-36551 | 0.00 | — | 0.00 | Oct 28, 2021 | TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module. | |||
| CVE-2021-36550 | 0.00 | — | 0.00 | Oct 28, 2021 | TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module. | |||
| CVE-2020-29254 | 0.00 | — | 0.01 | Dec 11, 2020 | TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF… |
- risk 0.72cvss 9.8epss 0.63
TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b)…
- risk 0.65cvss —epss 0.02
An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an…
- risk 0.57cvss 9.9epss 0.01
wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.
- risk 0.57cvss 8.8epss 0.01
Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation.
- risk 0.52cvss 8.0epss 0.01
Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related…
- risk 0.52cvss 8.0epss 0.01
Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element,…
- risk 0.49cvss 7.5epss 0.02
A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to read arbitrary files on a targeted system via a crafted pathname in a banner URL field.
- risk 0.40cvss 6.1epss 0.01
TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not properly validate the imgsize or lang parameter to prevent XSS.
- risk 0.40cvss 6.1epss 0.01
lib/core/TikiFilter/PreventXss.php in Tiki Wiki CMS Groupware 16.2 allows remote attackers to bypass the XSS filter via padded zero characters, as demonstrated by an attack on tiki-batch_send_newsletter.php.
- risk 0.40cvss 6.1epss 0.01
Some forms with the parameter geo_zoomlevel_to_found_location in Tiki Wiki CMS 12.x before 12.10 LTS, 15.x before 15.3 LTS, and 16.x before 16.1 don't have the input sanitized, related to tiki-setup.php and article_image.php. The impact is XSS.
- risk 0.35cvss 5.4epss 0.00
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive…
- risk 0.35cvss 5.4epss 0.00
A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or…
- risk 0.35cvss 5.4epss 0.01
Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image.
- risk 0.35cvss 5.4epss 0.01
Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php.
- risk 0.35cvss 5.4epss 0.01
Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1.
- risk 0.35cvss 5.4epss 0.01
The Calendar component in Tiki 17.1 allows HTML injection.
- risk 0.35cvss 5.4epss 0.01
An XSS vulnerability (via an SVG image) in Tiki before 18 allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/filegals/filegallib.php.
- CVE-2025-34111Jul 15, 2025risk 0.10cvss —epss 0.02
An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of…
- CVE-2007-5423Oct 12, 2007risk 0.09cvss —epss 0.77
tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function.
- CVE-2005-1921Jul 5, 2005risk 0.09cvss —epss 0.79
Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7)…
- CVE-2020-15906Oct 22, 2020risk 0.07cvss —epss 0.27
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
- CVE-2006-5702Nov 4, 2006risk 0.07cvss —epss 0.53
Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6)…
- CVE-2006-4602Sep 7, 2006risk 0.06cvss —epss 0.43
Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory.
- CVE-2010-4239Oct 28, 2019risk 0.04cvss —epss 0.13
Tiki Wiki CMS Groupware 5.2 has Local File Inclusion
- CVE-2012-5321Oct 8, 2012risk 0.04cvss —epss 0.08
tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection."
- CVE-2007-6528Dec 27, 2007risk 0.04cvss —epss 0.09
Directory traversal vulnerability in tiki-listmovies.php in TikiWiki before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and modified filename in the movie parameter.
- CVE-2004-1926Apr 11, 2004risk 0.04cvss —epss 0.07
Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a…
- CVE-2011-4336Jan 15, 2020risk 0.03cvss —epss 0.08
Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
- CVE-2011-4551Oct 1, 2012risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters.
- CVE-2012-3996Jul 12, 2012risk 0.03cvss —epss 0.05
TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a direct request to (1) admin/include_calendar.php, (2) tiki-rss_error.php, or (3) tiki-watershed_service.php.
- CVE-2009-1204Apr 1, 2009risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4)…
- CVE-2007-5684Oct 26, 2007risk 0.03cvss —epss 0.03
Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded "..%2F" sequences in…
- CVE-2006-5703Nov 4, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in tiki-featured_link.php in Tikiwiki 1.9.5 allows remote attackers to inject arbitrary web script or HTML via a url parameter that evades filtering, as demonstrated by a parameter value containing malformed, nested SCRIPT elements.
- CVE-2006-2635May 30, 2006risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka Tiki CMS/Groupware) 1.9.x allow remote attackers to inject arbitrary web script or HTML via malformed nested HTML tags such as "<script>" in (1) offset and (2) days parameters in (a)…
- CVE-2004-1928Apr 12, 2004risk 0.03cvss —epss 0.03
The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL.
- CVE-2004-1925Apr 12, 2004risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4)…
- CVE-2004-1927Apr 11, 2004risk 0.03cvss —epss 0.04
Directory traversal vulnerability in the map feature (tiki-map.phtml) in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to determine the existence of arbitrary files via .. (dot dot) sequences in the mapfile parameter.
- CVE-2004-1924Apr 11, 2004risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php,…
- CVE-2004-1923Apr 11, 2004risk 0.03cvss —epss 0.03
Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to gain sensitive information via a direct request to (1) banner_click.php, (2) categorize.php, (3) tiki-admin_include_directory.php, (4) tiki-directory_search.php, which reveal the web server path in an…
- CVE-2024-51507Oct 28, 2024risk 0.00cvss —epss 0.00
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.
- CVE-2024-51509Oct 28, 2024risk 0.00cvss —epss 0.00
Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.
- CVE-2024-51506Oct 28, 2024risk 0.00cvss —epss 0.00
Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.
- CVE-2024-51508Oct 28, 2024risk 0.00cvss —epss 0.00
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.
- CVE-2023-22852Jan 14, 2023risk 0.00cvss —epss 0.00
Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.
- CVE-2023-22851Jan 14, 2023risk 0.00cvss —epss 0.01
Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.
- CVE-2023-22850Jan 14, 2023risk 0.00cvss —epss 0.01
Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.
- CVE-2023-22853Jan 14, 2023risk 0.00cvss —epss 0.01
Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval.
- CVE-2021-36551Oct 28, 2021risk 0.00cvss —epss 0.00
TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module.
- CVE-2021-36550Oct 28, 2021risk 0.00cvss —epss 0.00
TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module.
- CVE-2020-29254Dec 11, 2020risk 0.00cvss —epss 0.01
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF…
Page 1 of 2