CVSS: 7.5EPSS: 1%CPEs: 14EXPL: 1CVE-2007-5684 – TikiWiki 1.9.8.1 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2007-5684
Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded "..%2F" sequences in the imp_language parameter to tiki-imexport_languages.php. Múltiples vulnerabilidades de escalado de directorio en el TikiWiki 1.9.8.1 y versiones anteriores permiten a atacantes remotos incluir y ejecutar ficheros de su elección a través de un nombre de ruta absoluta en los parámetros (1) error_handler_file y (2) local_php en el a) tiki-index.php, o en las secuencias (3) codificadas "..%2F" en el parámetro imp_language del tiki-imexport_languages.php. • https://www.exploit-db.com/exploits/4568 http://info.tikiwiki.org/tiki-read_article.php?articleId=15 http://www.securityfocus.com/archive/1/482801/30/0/threaded • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 6%CPEs: 13EXPL: 0CVE-2007-5682
https://notcve.org/view.php?id=CVE-2007-5682
Incomplete blacklist vulnerability in tiki-graph_formula.php in TikiWiki before 1.9.8.2 allows remote attackers to execute arbitrary code by using variable functions and variable variables to write variables whose names match the whitelist, a different vulnerability than CVE-2007-5423. Una vulnerabilidad de lista negra incompleta en el archivo tiki-graph_formula.php en TikiWiki versiones anteriores a 1.9.8.2, permite a atacantes remotos ejecutar código arbitrario mediante el uso de funciones variables y variables variantes para escribir variables cuyos nombres coincidan con la lista blanca, una vulnerabilidad diferente de CVE-2007-5423. • http://info.tikiwiki.org/tiki-read_article.php?articleId=15 http://osvdb.org/43610 http://www.securityfocus.com/archive/1/482908 http://www.securityfocus.com/bid/26220 http://www.sektioneins.de/advisories/SE-2007-01.txt • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 96%CPEs: 1EXPL: 5CVE-2007-5423 – TikiWiki tiki-graph_formula Remote PHP Code Execution
https://notcve.org/view.php?id=CVE-2007-5423
tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function. El archivo tiki-graph_formula.php en TikiWiki versión 1.9.8, permite a atacantes remotos ejecutar código arbitrario por medio de secuencias PHP en el parámetro array f, que son procesadas mediante create_function. TikiWiki versions 1.9.8 and below contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input supplied to the f variable, which may allow a remote attacker to execute arbitrary PHP commands resulting in a loss of integrity. • https://www.exploit-db.com/exploits/4509 https://www.exploit-db.com/exploits/16911 http://bugs.gentoo.org/show_bug.cgi?id=195503 http://osvdb.org/40478 http://secunia.com/advisories/27190 http://secunia.com/advisories/27344 http://securityreason.com/securityalert/3216 http://securityvulns.ru/Sdocument162.html http://sourceforge.net/forum/forum.php?forum_id=744898 http://sourceforge.net/project/shownotes.php?release_id=546283&group_id=64258 http://www.gentoo.org/security/en&# • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2007-4554
https://notcve.org/view.php?id=CVE-2007-4554
Cross-site scripting (XSS) vulnerability in tiki-remind_password.php in Tikiwiki (aka Tiki CMS/Groupware) 1.9.7 allows remote attackers to inject arbitrary web script or HTML via the username parameter. NOTE: this issue might be related to CVE-2006-2635.7. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en tiki-remind_password.php en Tikiwiki (también conocido como Tiki CMS/Groupware) 1.9.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro username. NOTA: este asunto podría estar relacionado con CVE-2006-2635.7. • http://secunia.com/advisories/26618 http://securityreason.com/securityalert/3064 http://www.securityfocus.com/archive/1/477653/100/0/threaded http://www.securityfocus.com/bid/25433 http://www.vupen.com/english/advisories/2007/2984 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2006-6457
https://notcve.org/view.php?id=CVE-2006-6457
tiki-wiki_rss.php in Tikiwiki 1.9.5, 1.9.2, and possibly other versions allows remote attackers to obtain sensitive information (MySQL username and password) via an invalid (large or negative) ver parameter, which leaks the information in an error message. tiki-wiki_rss.php en Tikiwiki 1.9.5, 1.9.2, y posiblemente otras versiones permite a atacantes remotos obtener información sensible (nombre de usuario y contraseña MySQL) mediante un parámetro ver inválido (largo o negativo), lo cual filtra la información en un mensaje de error. • http://www.securityfocus.com/archive/1/452639/100/200/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •