CVE-2016-7394
https://notcve.org/view.php?id=CVE-2016-7394
tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attackers steal user's cookie. tiki wiki cms groupware, en versiones iguales o anteriores a la 15.2, tiene una vulnerabilidad de XSS que permite que atacantes roben las cookies de los usuarios. • https://sourceforge.net/p/tikiwiki/code/59653 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-3996 – Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution
https://notcve.org/view.php?id=CVE-2012-3996
TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a direct request to (1) admin/include_calendar.php, (2) tiki-rss_error.php, or (3) tiki-watershed_service.php. TikiWiki CMS/Groupware v8.3 y anteriores permite a atacantes remotos obtener la ruta de instalación mediante una peticion a (1) admin/include_calendar.php, (2) tiki-rss_error.php, o (3) tiki-watershed_service.php. • https://www.exploit-db.com/exploits/19573 https://www.exploit-db.com/exploits/19630 http://archives.neohapsis.com/archives/bugtraq/2012-07/0020.html http://dev.tiki.org/item4109 http://info.tiki.org/article190-Tiki-Wiki-CMS-Groupware-Updates-Tiki-6-7-LTS http://info.tiki.org/article191-Tiki-Releases-8-4 http://www.exploit-db.com/exploits/19573 http://www.exploit-db.com/exploits/19630 http://www.osvdb.org/83533 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-0911 – Tiki Wiki CMS Groupware 8.3 - 'Unserialize()' PHP Code Execution
https://notcve.org/view.php?id=CVE-2012-0911
TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) sendarticles parameter to tiki-send_objects.php, which is not properly handled when processed by the unserialize function. TikiWiki CMS/Groupware anterior a v6.7 LTS y anterior a v8.4 permite a atacantes remotos ejecutar código arbitrario PHP mediante un objeto serializado manipulado en el parámetro (1) cookieName para lib/banners/bannerlib.php; (2) printpages o (3) el parámetro printstructures para (a) tiki-print_multi_pages.php o (b) tiki-print_pages.php; o (4) sendpages, (5) sendstructures, o (6) el parámetro sendarticles para to tiki-send_objects.php, el cual no es correctamente procesado por la función unserialize Tiki Wiki CMS Groupware versions 8.3 and below suffer from an unserialize() PHP code execution vulnerability. • https://www.exploit-db.com/exploits/19573 https://www.exploit-db.com/exploits/19630 http://archives.neohapsis.com/archives/bugtraq/2012-07/0020.html http://dev.tiki.org/item4109 http://info.tiki.org/article190-Tiki-Wiki-CMS-Groupware-Updates-Tiki-6-7-LTS http://info.tiki.org/article191-Tiki-Releases-8-4 http://osvdb.org/83534 http://www.exploit-db.com/exploits/19573 http://www.exploit-db.com/exploits/19630 http://www.securityfocus.com/bid/54298 https://exchang • CWE-502: Deserialization of Untrusted Data •
CVE-2011-4551 – Tiki Wiki CMS Groupware 8.1 - 'show_errors' HTML Injection
https://notcve.org/view.php?id=CVE-2011-4551
Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en tiki-cookie-jar.php en TikiWiki CMS/Groupware, antes de v8.2 y LTS antes de v6.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de parámetros de su elección. Tiki Wiki CMS Groupware versions 8.1 and 6.4 LTS suffer from a stored cross site scripting vulnerability. • https://www.exploit-db.com/exploits/36470 http://info.tiki.org/article183-Tiki-Wiki-CMS-Groupware-8-2-and-6-5LTS-Security-Patches-Available http://secunia.com/advisories/47278 http://www.infoserve.de/system/files/advisories/INFOSERVE-ADV2011-07.txt http://www.osvdb.org/77966 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2006-2635 – TikiWiki 1.9 - 'tiki-lastchanges.php' Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2006-2635
Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka Tiki CMS/Groupware) 1.9.x allow remote attackers to inject arbitrary web script or HTML via malformed nested HTML tags such as "<scr<script>ipt>" in (1) offset and (2) days parameters in (a) tiki-lastchanges.php, the (3) find and (4) offset parameters in (b) tiki-orphan_pages.php, the (5) offset and (6) initial parameters in (c) tiki-listpages.php, and (7) an unspecified field in (d) tiki-remind_password.php; and allow remote authenticated users with admin privileges to inject arbitrary web script or HTML via (8) an unspecified field in a metatags action in (e) tiki-admin.php, the (9) offset parameter in (f) tiki-admin_rssmodules.php, the (10) offset and (11) max parameters in (g) tiki-syslog.php, the (12) numrows parameter in (h) tiki-adminusers.php, (13) an unspecified field in (i) tiki-adminusers.php, (14) an unspecified field in (j) tiki-admin_hotwords.php, unspecified fields in (15) "Assign new module" and (16) "Create new user module" in (k) tiki-admin_modules.php, (17) an unspecified field in "Add notification" in (l) tiki-admin_notifications.php, (18) the offset parameter in (m) tiki-admin_notifications.php, the (19) Name and (20) Dsn fields in (o) tiki-admin_dsn.php, the (21) offset parameter in (p) tiki-admin_content_templates.php, (22) an unspecified field in "Create new template" in (q) tiki-admin_content_templates.php, and the (23) offset parameter in (r) tiki-admin_chat.php. • https://www.exploit-db.com/exploits/27917 http://secunia.com/advisories/20334 http://securityreason.com/securityalert/976 http://tikiwiki.org/tiki-read_article.php?articleId=131 http://www.osvdb.org/26048 http://www.osvdb.org/26049 http://www.osvdb.org/26050 http://www.osvdb.org/26051 http://www.osvdb.org/26052 http://www.osvdb.org/26053 http://www.osvdb.org/26054 http://www.osvdb.org/26055 http://www.osvdb.org/26056 http://www.osvdb.org/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •