Tiki Wiki CMS Groupware 'show_errors' Parameter HTML Injection Vulnerability

Bugtraq ID:	51128
Class:	Input Validation Error
CVE:	CVE-2011-4551
Remote:	Yes
Local:	No
Published:	Dec 20 2011 12:00AM
Updated:	Mar 19 2015 08:19AM
Credit:	Stefan Schurtz
Vulnerable:	Tiki Wiki CMS Groupware Tiki Wiki CMS/Groupware 8.1 Tiki Wiki CMS Groupware Tiki Wiki CMS/Groupware 7.2 Tiki Wiki CMS Groupware Tiki Wiki CMS/Groupware 6.4 Tiki Wiki CMS Groupware Tiki Wiki CMS Groupware 7.0 Tiki Wiki CMS Groupware Tiki Wiki CMS Groupware 6.4 LTS Tiki Wiki CMS Groupware Tiki Wiki CMS Groupware 5.2
Not Vulnerable:	Tiki Wiki CMS Groupware Tiki Wiki CMS Groupware 8.2 Tiki Wiki CMS Groupware Tiki Wiki CMS Groupware 6.5 LTS

Tiki Wiki CMS Groupware 'show_errors' Parameter HTML Injection Vulnerability

Tiki Wiki CMS Groupware is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Tiki Wiki CMS Groupware 'show_errors' Parameter HTML Injection Vulnerability

An attacker can exploit this issue through a browser.

The following exploit is available:

• /data/vulnerabilities/exploits/51128.txt

Tiki Wiki CMS Groupware 'show_errors' Parameter HTML Injection Vulnerability

Solution:
Updates are available; please see the references for more information.

Tiki Wiki CMS Groupware 'show_errors' Parameter HTML Injection Vulnerability

References:

• Tiki Wiki CMS Groupware 8.2 and 6.5LTS Security Patches Available (Tiki Wiki CMS Groupware)
  
• Tiki Wiki CMS Groupware Homepage (Tiki Wiki CMS Groupware)
  
• Tiki Wiki CMS Groupware Stored Cross-Site-Scripting ([email protected])