Tiki Wiki CMS Groupware Multiple Cross Site Scripting Vulnerabilities
BID:50683
Info
Tiki Wiki CMS Groupware Multiple Cross Site Scripting Vulnerabilities
| Bugtraq ID: | 50683 |
| Class: | Input Validation Error |
| CVE: |
CVE-2011-4454 CVE-2011-4455 |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 15 2011 12:00AM |
| Updated: | Mar 19 2015 09:12AM |
| Credit: | Stefan Schurtz |
| Vulnerable: |
Tiki Wiki CMS Groupware Tiki Wiki CMS/Groupware 7.2 Tiki Wiki CMS Groupware Tiki Wiki CMS/Groupware 6.4 |
| Not Vulnerable: |
Tiki Wiki CMS Groupware Tiki Wiki CMS/Groupware 8.1 |
Discussion
Tiki Wiki CMS Groupware Multiple Cross Site Scripting Vulnerabilities
Tiki Wiki CMS Groupware is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Tiki Wiki CMS Groupware 6.4, 7.2 and 8.0RC1 are vulnerable; other versions may also be affected.
Tiki Wiki CMS Groupware is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Tiki Wiki CMS Groupware 6.4, 7.2 and 8.0RC1 are vulnerable; other versions may also be affected.
Exploit / POC
Tiki Wiki CMS Groupware Multiple Cross Site Scripting Vulnerabilities
To exploit these issues, an attacker must entice an unsuspecting user to follow a malicious URI.
The following example URIs are available:
To exploit these issues, an attacker must entice an unsuspecting user to follow a malicious URI.
The following example URIs are available:
Solution / Fix
Tiki Wiki CMS Groupware Multiple Cross Site Scripting Vulnerabilities
Solution:
Updates are available. Please see the references for more details.
Solution:
Updates are available. Please see the references for more details.
References
Tiki Wiki CMS Groupware Multiple Cross Site Scripting Vulnerabilities
References:
References:
- Tiki 8.1 Now Available, End-of-Life for Tiki 7.x (Tiki)
- Tiki Wiki CMS Groupware Homepage (Tiki Wiki CMS Groupware)
- Tiki Wiki CMS Groupware Multiple XSS vulnerabilities (Stefan Schurtz)