CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-15314
https://notcve.org/view.php?id=CVE-2019-15314
22 Aug 2019 — tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI. El archivo tiki/tiki-upload_file.php en Tiki versión 18.4, permite a atacantes remotos cargar código JavaScript que es ejecutado al visitar un URI tiki/tiki-download_file.php?display&fileId=. • https://pastebin.com/wEM7rnG7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20719
https://notcve.org/view.php?id=CVE-2018-20719
15 Jan 2019 — In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter. En Tiki en versiones anteriores a la 17.2, el componente "user task" es vulnerable a una inyección SQL mediante el parámetro show_history en tiki-user_tasks.php. • https://blog.ripstech.com/2018/scan-verify-patch-security-issues-in-minutes • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-14849
https://notcve.org/view.php?id=CVE-2018-14849
13 Aug 2018 — Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php. Tiki en versiones anteriores a la 18.2, 15.7 y 12.14 tiene Cross-Site Scripting (XSS) mediante los atributos link relacionados con lib/core/WikiParser/OutputLink.php y lib/parser/parserlib.php. • http://www.openwall.com/lists/oss-security/2018/08/02/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-14850
https://notcve.org/view.php?id=CVE-2018-14850
13 Aug 2018 — Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image. Vulnerabilidades Cross-Site Scripting (XSS) persistente en Tiki en versiones anteriores a la 18.2, 15.7 y 12.14 permiten que un usuario autenticado inyecte código JavaScript para obtener privilegios de administrador si un administrador abre una página wiki y mueve... • http://www.openwall.com/lists/oss-security/2018/08/02/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2018-7290
https://notcve.org/view.php?id=CVE-2018-7290
09 Mar 2018 — Cross Site Scripting (XSS) exists in Tiki before 12.13, 15.6, 17.2, and 18.1. Existe Cross-Site Scripting (XSS) en Tiki, en versiones anteriores a la 12.13, 15.6, 17.2 y la 18.1. • http://www.openwall.com/lists/oss-security/2018/03/08/5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7302
https://notcve.org/view.php?id=CVE-2018-7302
21 Feb 2018 — Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS. Tiki 17.1 permite la subida de un archivo .PNG que, en realidad, tiene contenido SVG, lo que conduce a XSS. • https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7303
https://notcve.org/view.php?id=CVE-2018-7303
21 Feb 2018 — The Calendar component in Tiki 17.1 allows HTML injection. El componente Calendar en Tiki 17.1 permite la inyección HTML. • https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7304
https://notcve.org/view.php?id=CVE-2018-7304
21 Feb 2018 — Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation. Tiki 17.1 no valida las entradas de usuario para caracteres especiales, lo que provoca que un ataque de inyección CSV pueda abrir una ventana CMD.EXE o Calculator en la máquina de la víctima para realizar actividades maliciosas. Esto se demuestra... • https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7188
https://notcve.org/view.php?id=CVE-2018-7188
16 Feb 2018 — An XSS vulnerability (via an SVG image) in Tiki before 18 allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/filegals/filegallib.php. Una vulnerabilidad de XSS (mediante una imagen SVG) en Tiki, en versiones anteriores a la 18, permite que un usuario autenticado obtenga privilegios de administrador si un administrador abre una página de wiki con una imagen SVG maliciosa. Esto está relacionado con lib/filegals/filegal... • http://openwall.com/lists/oss-security/2018/02/16/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7394
https://notcve.org/view.php?id=CVE-2016-7394
06 Feb 2018 — tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attackers steal user's cookie. tiki wiki cms groupware, en versiones iguales o anteriores a la 15.2, tiene una vulnerabilidad de XSS que permite que atacantes roben las cookies de los usuarios. • https://sourceforge.net/p/tikiwiki/code/59653 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •