CVE-2011-4336
published 2020-01-15CVE-2011-4336: Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
7.65%
93.8th percentile
Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tiki | tikiwiki_cms_groupware | <= 7.0 | — |
| tiki | wiki_cms_groupware | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Tiki Wiki CMS Groupware 7.2 - 'snarf_ajax.php' Cross-Site Scripting
exploitdb·2011-07-20
CVE-2011-4336 Tiki Wiki CMS Groupware 7.2 - 'snarf_ajax.php' Cross-Site Scripting
Tiki Wiki CMS Groupware 7.2 - 'snarf_ajax.php' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/48806/info
Tiki Wiki CMS Groupware is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Tiki Wiki CMS Groupware 7.0 is vulnerable; other versions may also be affected.
http://www.example.com/snarf_ajax.php?url=1&ajax=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Nuclei
Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2011-4336 [MEDIUM] Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting
Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting
Tiki Wiki CMS Groupware 7.0 is vulnerable to cross-site scripting via the GET "ajax" parameter to snarf_ajax.php.
Template:
id: CVE-2011-4336
info:
name: Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting
author: pikpikcu
severity: medium
description: Tiki Wiki CMS Groupware 7.0 is vulnerable to cross-site scripting via the GET "ajax" parameter to snarf_ajax.php.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
remediation: Upgrade to the latest version to mitigate this vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2011-4336
- https://seclists
2020-01-15
Published