CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 0CVE-2025-32461
https://notcve.org/view.php?id=CVE-2025-32461
09 Apr 2025 — wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3. • https://gitlab.com/tikiwiki/tiki/-/commit/406bea4f6c379a23903ecfd55e538d90fd669ab0 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-22850
https://notcve.org/view.php?id=CVE-2023-22850
14 Jan 2023 — Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. Tiki anterior a 24.1, cuando la función Spreadsheets está habilitada, permite la inyección de objetos PHP lib/sheet/grid.php debido a una llamada de deserialización. • https://karmainsecurity.com/KIS-2023-03 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22852 – Tiki Wiki CMS Groupware 25.0 Cross Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-22852
10 Jan 2023 — Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php. Tiki hasta la versión 25.0 permite ataques CSRF relacionados con tiki-importer.php y tiki-import_sheet.php. Tiki Wiki CMS Groupware versions 25.0 and below suffer from multiple cross site request forgery vulnerabilities. • https://packetstorm.news/files/id/170432 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22853 – Tiki Wiki CMS Groupware 24.0 structlib.php Code Execution
https://notcve.org/view.php?id=CVE-2023-22853
10 Jan 2023 — Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval. Tiki anterior a 24.1, cuando feature_create_webhelp está habilitado, permite la inyección de objetos PHP lib/structures/structlib.php debido a una evaluación. Tiki Wiki CMS Groupware versions 24.0 and below suffer from a PHP code injection vulnerability in structlib.php. • https://packetstorm.news/files/id/170433 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-22851 – Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-22851
10 Jan 2023 — Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call. Tiki anterior a 24.2 permite la inyección de objetos PHP lib/importer/tikiimporter_blog_wordpress.php por parte de un administrador debido a una llamada de deseriaización. Tiki Wiki CMS Groupware versions 24.1 and below suffer from a PHP object injection vulnerability in tikiimporter_blog_wordpress.php. • https://packetstorm.news/files/id/170435 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-16131
https://notcve.org/view.php?id=CVE-2020-16131
03 Aug 2020 — Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php. Tiki versiones anteriores a 21.2, permite un ataque de tipo XSS porque [\s\/"\'] no es considerado apropiadamente en la biblioteca lib/core/TikiFilter/PreventXss.php • https://gitlab.com/tikiwiki/tiki/-/commit/d12d6ea7b025d3b3f81c8a71063fe9f89e0c4bf1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 3%CPEs: 1EXPL: 2CVE-2011-4558 – Tiki Wiki CMS Groupware 8.2 - 'snarf_ajax.php' Remote PHP Code Injection
https://notcve.org/view.php?id=CVE-2011-4558
27 Jan 2020 — Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters. Tiki versión 8.2 y anteriores, permiten a administradores remotos ejecutar código PHP arbitrario por medio de una entrada diseñada a los parámetros regexres y regex. • https://www.exploit-db.com/exploits/18265 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2011-4455
https://notcve.org/view.php?id=CVE-2011-4455
20 Nov 2019 — Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php. Múltiples vulnerabilidades de tipo cross-site scripting en Tiki versiones 7.2 y anteriores, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de la información de ruta en el archivo (1) tiki-admin_system.php, (2) tiki-pagehis... • https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2011-4454
https://notcve.org/view.php?id=CVE-2011-4454
20 Nov 2019 — Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-remind_password.php, (2) tiki-index.php, (3) tiki-login_scr.php, or (4) tiki-index. Múltiples vulnerabilidades de tipo cross-site scripting en Tiki versión 8.0 RC1 y anteriores, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de la información de ruta en el archivo (1) tiki-remind_password.php, (2) tiki-index.php, (... • https://packetstormsecurity.com/files/107082/Tiki-Wiki-CMS-Groupware-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •