CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36550
https://notcve.org/view.php?id=CVE-2021-36550
TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module. Se ha detectado que TikiWiki versión v21.4 contiene una vulnerabilidad de tipo cross-site scripting (XSS) en el componente tiki-browse_categories.php. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada en el módulo Create category • https://github.com/r0ck3t1973/xss_payload/issues/6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2020-29254
https://notcve.org/view.php?id=CVE-2020-29254
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. • https://github.com/S1lkys/CVE-2020-29254 https://github.com/S1lkys/CVE-2020-29254/blob/main/Tiki-Wiki%2021.2%20by%20Maximilian%20Barz.pdf https://youtu.be/Uc3sRBitu50 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-15906 – Tiki Wiki CMS Groupware 21.1 Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-15906
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. El archivo tiki-login.php en Tiki versiones anteriores a 21.2, establece la contraseña de administrador en un valor en blanco después de 50 intentos de inicio de sesión no válidos Tiki Wiki CMS Groupware version 21.1 suffers from an authentication bypass vulnerability. • https://github.com/S1lkys/CVE-2020-15906 http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-16131
https://notcve.org/view.php?id=CVE-2020-16131
Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php. Tiki versiones anteriores a 21.2, permite un ataque de tipo XSS porque [\s\/"\'] no es considerado apropiadamente en la biblioteca lib/core/TikiFilter/PreventXss.php • https://gitlab.com/tikiwiki/tiki/-/commit/d12d6ea7b025d3b3f81c8a71063fe9f89e0c4bf1 https://tiki.org/News • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8966 – Cross Site Scripting (XSS) flaws found in Tiki-Wiki CMS software
https://notcve.org/view.php?id=CVE-2020-8966
There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page. Se presenta una vulnerabilidad de Neutralización Inapropiada de Etiquetas HTML Relacionadas con Scripts en una Página Web (vulnerabilidad XSS Básica) en las páginas web php de Tiki-Wiki Groupware. Tiki-Wiki CMS todas las versiones hasta 20.0 permite a usuarios maliciosos causar la inyección de fragmentos de código malicioso (scripts) en una página web legítima. • https://sourceforge.net/p/tikiwiki/code/75455 https://www.incibe-cert.es/en/early-warning/security-advisories/cross-site-scripting-xss-flaws-found-tiki-wiki-cms-software • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •