CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 0CVE-2025-32461
https://notcve.org/view.php?id=CVE-2025-32461
09 Apr 2025 — wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3. • https://gitlab.com/tikiwiki/tiki/-/commit/406bea4f6c379a23903ecfd55e538d90fd669ab0 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-22850
https://notcve.org/view.php?id=CVE-2023-22850
14 Jan 2023 — Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. Tiki anterior a 24.1, cuando la función Spreadsheets está habilitada, permite la inyección de objetos PHP lib/sheet/grid.php debido a una llamada de deserialización. • https://karmainsecurity.com/KIS-2023-03 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22852 – Tiki Wiki CMS Groupware 25.0 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-22852
10 Jan 2023 — Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. Tiki hasta la versión 25.0 permite ataques CSRF relacionados con tiki-importer.php y tiki-import_sheet.php. Tiki Wiki CMS Groupware versions 25.0 and below suffer from multiple cross site request forgery vulnerabilities. • https://packetstorm.news/files/id/170432 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22853 – Tiki Wiki CMS Groupware 24.0 structlib.php Code Execution
https://notcve.org/view.php?id=CVE-2023-22853
10 Jan 2023 — Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval. Tiki anterior a 24.1, cuando feature_create_webhelp está habilitado, permite la inyección de objetos PHP lib/structures/structlib.php debido a una evaluación. Tiki Wiki CMS Groupware versions 24.0 and below suffer from a PHP code injection vulnerability in structlib.php. • https://packetstorm.news/files/id/170433 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-22851 – Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-22851
10 Jan 2023 — Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. Tiki anterior a 24.2 permite la inyección de objetos PHP lib/importer/tikiimporter_blog_wordpress.php por parte de un administrador debido a una llamada de deseriaización. Tiki Wiki CMS Groupware versions 24.1 and below suffer from a PHP object injection vulnerability in tikiimporter_blog_wordpress.php. • https://packetstorm.news/files/id/170435 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 87%CPEs: 1EXPL: 3CVE-2020-15906 – Tiki Wiki CMS Groupware 21.1 Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-15906
21 Oct 2020 — tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. El archivo tiki-login.php en Tiki versiones anteriores a 21.2, establece la contraseña de administrador en un valor en blanco después de 50 intentos de inicio de sesión no válidos Tiki Wiki CMS Groupware version 21.1 suffers from an authentication bypass vulnerability. • https://packetstorm.news/files/id/159663 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-16131
https://notcve.org/view.php?id=CVE-2020-16131
03 Aug 2020 — Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php. Tiki versiones anteriores a 21.2, permite un ataque de tipo XSS porque [\s\/"\'] no es considerado apropiadamente en la biblioteca lib/core/TikiFilter/PreventXss.php • https://gitlab.com/tikiwiki/tiki/-/commit/d12d6ea7b025d3b3f81c8a71063fe9f89e0c4bf1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 3%CPEs: 1EXPL: 2CVE-2011-4558 – Tiki Wiki CMS Groupware 8.2 - 'snarf_ajax.php' Remote PHP Code Injection
https://notcve.org/view.php?id=CVE-2011-4558
27 Jan 2020 — Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters. Tiki versión 8.2 y anteriores, permiten a administradores remotos ejecutar código PHP arbitrario por medio de una entrada diseñada a los parámetros regexres y regex. • https://www.exploit-db.com/exploits/18265 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2011-4455
https://notcve.org/view.php?id=CVE-2011-4455
20 Nov 2019 — Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php. Múltiples vulnerabilidades de tipo cross-site scripting en Tiki versiones 7.2 y anteriores, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de la información de ruta en el archivo (1) tiki-admin_system.php, (2) tiki-pagehis... • https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2011-4454
https://notcve.org/view.php?id=CVE-2011-4454
20 Nov 2019 — Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-remind_password.php, (2) tiki-index.php, (3) tiki-login_scr.php, or (4) tiki-index. Múltiples vulnerabilidades de tipo cross-site scripting en Tiki versión 8.0 RC1 y anteriores, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de la información de ruta en el archivo (1) tiki-remind_password.php, (2) tiki-index.php, (... • https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •