CVE-2004-1924
published 2004-04-11CVE-2004-1924: Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
1.80%
75.8th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php, (3) flag, priority, flagval, sort_mode, or find parameters to messu-read.php, (4) articleId parameter to tiki-read_article.php, (5) parentId parameter to tiki-browse_categories.php, (6) comments_threshold parameter to tiki-index.php (7) articleId parameter to tiki-print_article.php, (8) galleryId parameter to tiki-list_file_gallery.php, (9) galleryId parameter to tiki-upload_file.php, (10) faqId parameter to tiki-view_faq.php, (11) chartId parameter to tiki-view_chart.php, or (12) surveyId parameter to tiki-survey_stats_survey.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiki | tikiwiki_cms_groupware | <= 1.8.1 | — |
| tiki | tikiwiki_cms_groupware | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TikiWiki Project 1.8 - 'messu-mailbox.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'messu-mailbox.php' Multiple Cross-Site Scripting Vulnerabilities
TikiWiki Project 1.8 - 'messu-mailbox.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
messu-mailbox.php?flags=&priority=&find=[XSS]
messu-mailbox.php?flags=&priority=[XSS]
Exploit-DB
TikiWiki Project 1.8 - 'tiki-read_article.php?articleId' Cross-Site Scripting
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'tiki-read_article.php?articleId' Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-read_article.php?articleId' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-read_article.php?articleId=[VID][XSS]
Exploit-DB
TikiWiki Project 1.8 - 'tiki-index.php?comments_threshold' Cross-Site Scripting
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'tiki-index.php?comments_threshold' Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-index.php?comments_threshold' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-index.php?page=[VPG]&comments_threshold=[INT][XSS]
Exploit-DB
TikiWiki Project 1.8 - 'tiki-list_file_gallery.php?galleryID' Cross-Site Scripting
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'tiki-list_file_gallery.php?galleryID' Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-list_file_gallery.php?galleryID' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-list_file_gallery.php?galleryId=[VID][XSS]
Exploit-DB
TikiWiki Project 1.8 - 'tiki-upload_file.php?galleryID' Cross-Site Scripting
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'tiki-upload_file.php?galleryID' Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-upload_file.php?galleryID' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-upload_file.php?galleryId=[VID][XSS]
Exploit-DB
TikiWiki Project 1.8 - 'tiki-print_article.php?articleId' Cross-Site Scripting
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'tiki-print_article.php?articleId' Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-print_article.php?articleId' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-print_article.php?articleId=[VID][XSS]
Exploit-DB
TikiWiki Project 1.8 - 'tiki-browse_categories.php?parentId' Cross-Site Scripting
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'tiki-browse_categories.php?parentId' Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-browse_categories.php?parentId' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-browse_categories.php?find=&deep=off&parentId=[VID][XSS]
Exploit-DB
TikiWiki Project 1.8 - 'tiki-switch_theme.php?theme' Cross-Site Scripting
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'tiki-switch_theme.php?theme' Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-switch_theme.php?theme' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-switch_theme.php?theme=[XSS]
Exploit-DB
TikiWiki Project 1.8 - 'tiki-view_faq.php?faqId' Cross-Site Scripting
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'tiki-view_faq.php?faqId' Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-view_faq.php?faqId' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-view_faq.php?faqId=[VID][XSS]
Exploit-DB
TikiWiki Project 1.8 - 'tiki-view_chart.php?chartId' Cross-Site Scripting
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'tiki-view_chart.php?chartId' Cross-Site Scripting
TikiWiki Project 1.8 - 'tiki-view_chart.php?chartId' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
tiki-view_chart.php?chartId=[VID][XSS]
Exploit-DB
TikiWiki Project 1.8 - 'messu-read.php' Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2004-04-12
CVE-2004-1924 TikiWiki Project 1.8 - 'messu-read.php' Multiple Cross-Site Scripting Vulnerabilities
TikiWiki Project 1.8 - 'messu-read.php' Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/10100/info
Multiple vulnerabilities have been identified in various modules of the application. These vulnerabilities may allow a remote attacker to carry out various attacks such as path disclosure, cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload.
messu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=date_desc&find=[XSS]
messu-read.php?offset=[INT]&flag=&priority=&flagval=&sort_mode=[XSS]
messu-read.php?offset=[INT]&flag=&priority=&flagval=[XSS]
messu-read.php?offset=[INT]&flag=&priority=[XSS]
messu-read.php?offset=[INT]&flag=[XSS]
messu-read.php?offset=[XSS]
Exploit-DB
TikiWiki < 1.8.1 - Multiple Vulnerabilities
exploitdb·2004-04-11·CVSS 5.0
CVE-2004-1923 [MEDIUM] TikiWiki < 1.8.1 - Multiple Vulnerabilities
TikiWiki Theme
User Profile > Country Field
User Profile > Real Name
User Profile > Displayed time zone
Directory > Add Site > Name
Directory > Add Site > Description
Directory > Add Site > URL
Directory > Add Site > Country
Remote File/Dir Enumeration Via Traversal:
This issue deals with the map feature TikiWiki uses. If you are using a version prior to 1.8 or if you have not enabled the map feature this probably does not affect you. The map feature calls a .map file to display whatever map a user would like to view, but the problem with this is that it allows you to traverse out of the web directory and call files elsewhere on the box. While this does not allow you to say pull up a file for viewing or download, it will allow you to confirm the existence of both files and directories on
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=108180073206947&w=2http://secunia.com/advisories/11344http://tikiwiki.org/tiki-read_article.php?articleId=66http://www.securityfocus.com/bid/10100https://exchange.xforce.ibmcloud.com/vulnerabilities/15846http://marc.info/?l=bugtraq&m=108180073206947&w=2http://secunia.com/advisories/11344http://tikiwiki.org/tiki-read_article.php?articleId=66http://www.securityfocus.com/bid/10100https://exchange.xforce.ibmcloud.com/vulnerabilities/15846
2004-04-11
Published