Current Description

Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka Tiki CMS/Groupware) 1.9.x allow remote attackers to inject arbitrary web script or HTML via malformed nested HTML tags such as "<scr<script>ipt>" in (1) offset and (2) days parameters in (a) tiki-lastchanges.php, the (3) find and (4) offset parameters in (b) tiki-orphan_pages.php, the (5) offset and (6) initial parameters in (c) tiki-listpages.php, and (7) an unspecified field in (d) tiki-remind_password.php; and allow remote authenticated users with admin privileges to inject arbitrary web script or HTML via (8) an unspecified field in a metatags action in (e) tiki-admin.php, the (9) offset parameter in (f) tiki-admin_rssmodules.php, the (10) offset and (11) max parameters in (g) tiki-syslog.php, the (12) numrows parameter in (h) tiki-adminusers.php, (13) an unspecified field in (i) tiki-adminusers.php, (14) an unspecified field in (j) tiki-admin_hotwords.php, unspecified fields in (15) "Assign new module" and (16) "Create new user module" in (k) tiki-admin_modules.php, (17) an unspecified field in "Add notification" in (l) tiki-admin_notifications.php, (18) the offset parameter in (m) tiki-admin_notifications.php, the (19) Name and (20) Dsn fields in (o) tiki-admin_dsn.php, the (21) offset parameter in (p) tiki-admin_content_templates.php, (22) an unspecified field in "Create new template" in (q) tiki-admin_content_templates.php, and the (23) offset parameter in (r) tiki-admin_chat.php.

View Analysis Description

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score:  4.3 MEDIUM

Vector:  (AV:N/AC:M/Au:N/C:N/I:P/A:N)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
http://secunia.com/advisories/20334	CVE, MITRE	Exploit  Patch  Vendor Advisory
http://securityreason.com/securityalert/976	CVE, MITRE
http://tikiwiki.org/tiki-read_article.php?articleId=131	CVE, MITRE
http://www.osvdb.org/26048	CVE, MITRE
http://www.osvdb.org/26049	CVE, MITRE
http://www.osvdb.org/26050	CVE, MITRE
http://www.osvdb.org/26051	CVE, MITRE
http://www.osvdb.org/26052	CVE, MITRE
http://www.osvdb.org/26053	CVE, MITRE
http://www.osvdb.org/26054	CVE, MITRE
http://www.osvdb.org/26055	CVE, MITRE
http://www.osvdb.org/26056	CVE, MITRE
http://www.osvdb.org/26057	CVE, MITRE
http://www.osvdb.org/26058	CVE, MITRE
http://www.osvdb.org/26059	CVE, MITRE
http://www.osvdb.org/26060	CVE, MITRE
http://www.osvdb.org/26061	CVE, MITRE
http://www.osvdb.org/26062	CVE, MITRE
http://www.securityfocus.com/archive/1/435127/100/0/threaded	CVE, MITRE
http://www.securityfocus.com/archive/1/436432/100/0/threaded	CVE, MITRE
http://www.securityfocus.com/bid/18143	CVE, MITRE	Exploit
http://www.vupen.com/english/advisories/2006/2024	CVE, MITRE	Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

CVE Modified by CVE 11/20/2024 7:11:42 PM

Action	Type	Old Value	New Value
Added	Reference		http://secunia.com/advisories/20334
Added	Reference		http://securityreason.com/securityalert/976
Added	Reference		http://tikiwiki.org/tiki-read_article.php?articleId=131
Added	Reference		http://www.osvdb.org/26048
Added	Reference		http://www.osvdb.org/26049
Added	Reference		http://www.osvdb.org/26050
Added	Reference		http://www.osvdb.org/26051
Added	Reference		http://www.osvdb.org/26052
Added	Reference		http://www.osvdb.org/26053
Added	Reference		http://www.osvdb.org/26054
Added	Reference		http://www.osvdb.org/26055
Added	Reference		http://www.osvdb.org/26056
Added	Reference		http://www.osvdb.org/26057
Added	Reference		http://www.osvdb.org/26058
Added	Reference		http://www.osvdb.org/26059
Added	Reference		http://www.osvdb.org/26060
Added	Reference		http://www.osvdb.org/26061
Added	Reference		http://www.osvdb.org/26062
Added	Reference		http://www.securityfocus.com/archive/1/435127/100/0/threaded
Added	Reference		http://www.securityfocus.com/archive/1/436432/100/0/threaded
Added	Reference		http://www.securityfocus.com/bid/18143
Added	Reference		http://www.vupen.com/english/advisories/2006/2024

CVE Modified by MITRE 5/13/2024 9:37:00 PM

Action	Type	Old Value	New Value

CVE Modified by MITRE 10/18/2018 12:41:02 PM

Action	Type	Old Value	New Value
Added	Reference		http://www.securityfocus.com/archive/1/435127/100/0/threaded [No Types Assigned]
Added	Reference		http://www.securityfocus.com/archive/1/436432/100/0/threaded [No Types Assigned]
Removed	Reference	http://www.securityfocus.com/archive/1/archive/1/435127/100/0/threaded [Exploit]
Removed	Reference	http://www.securityfocus.com/archive/1/archive/1/436432/100/0/threaded [No Types Assigned]

Initial CVE Analysis 5/30/2006 10:09:00 AM

Action	Type	Old Value	New Value