cbcvebase.

Tiki Tikiwiki Cms Groupware vulnerabilities

72 known vulnerabilities affecting tiki/tikiwiki_cms_groupware.

Total CVEs
72
CISA KEV
0
Public exploits
22
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH25MEDIUM42

Vulnerabilities

Page 1 of 4
CVE-2012-0911P1CRITICALCVSS 9.8PoCfixed in 6.7fixed in 8.42012-07-12
CVE-2012-0911 [CRITICAL] CWE-502 CVE-2012-0911: TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PH TikiWiki CMS/Groupware before 6.7 LTS and before 8.4 allows remote attackers to execute arbitrary PHP code via a crafted serialized object in the (1) cookieName to lib/banners/bannerlib.php; (2) printpages or (3) printstructures parameter to (a) tiki-print_multi_pages.php or (b) tiki-print_pages.php; or (4) sendpages, (5) sendstructures, or (6) send
nvd
CVE-2007-5423P2HIGHCVSS 7.5PoCv1.9.82007-10-12
CVE-2007-5423 [HIGH] CWE-94 CVE-2007-5423: tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP s tiki-graph_formula.php in TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP sequences in the f array parameter, which are processed by create_function.
nvd
CVE-2005-1921P2HIGHCVSS 7.5PoCfixed in 1.8.52005-07-05
CVE-2005-1921 [HIGH] CWE-94 CVE-2005-1921: Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary
nvd
CVE-2025-34111P2CRITICALCVSS 9.8PoC≤ 15.12025-07-15
CVE-2025-34111 [CRITICAL] CWE-20 CVE-2025-34111: An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15. An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type vali
nvd
CVE-2006-4602P2HIGHCVSS 7.5PoCv1.9.42006-09-07
CVE-2006-4602 [HIGH] CVE-2006-4602: Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remot Unrestricted file upload vulnerability in jhot.php in TikiWiki 1.9.4 Sirius and earlier allows remote attackers to execute arbitrary PHP code via a filepath parameter that contains a filename with a .php extension, which is uploaded to the img/wiki/ directory.
nvd
CVE-2010-4239P2CRITICALCVSS 9.8PoCv5.22019-10-28
CVE-2010-4239 [CRITICAL] CWE-20 CVE-2010-4239: Tiki Wiki CMS Groupware 5.2 has Local File Inclusion Tiki Wiki CMS Groupware 5.2 has Local File Inclusion
nvd
CVE-2006-5702P3MEDIUMCVSS 5.0PoCv1.9.52006-11-04
CVE-2006-5702 [MEDIUM] CWE-200 CVE-2006-5702: Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) Tikiwiki 1.9.5 allows remote attackers to obtain sensitive information (MySQL username and password) via an empty sort_mode parameter in (1) tiki-listpages.php, (2) tiki-lastchanges.php, (3) messu-archive.php, (4) messu-mailbox.php, (5) messu-sent.php, (6) tiki-directory_add_site.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9)
nvd
CVE-2011-4336P3MEDIUMCVSS 6.1PoC≤ 7.02020-01-15
CVE-2011-4336 [MEDIUM] CWE-79 CVE-2011-4336: Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php. Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.
nvd
CVE-2007-5684P3HIGHCVSS 7.5PoC≤ 1.9.8.1v1.6.1+9 more2007-10-26
CVE-2007-5684 [HIGH] CWE-22 CVE-2007-5684: Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded "..%2F" sequences in the imp_language parameter to tiki-imexport_languages.php.
nvd
CVE-2012-5321P3MEDIUMCVSS 5.8PoCv8.32012-10-08
CVE-2012-5321 [MEDIUM] CWE-20 CVE-2012-5321: tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web s tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection."
nvd
CVE-2004-1928P3HIGHCVSS 7.5PoC≤ 1.8.1v1.6.12004-04-12
CVE-2004-1928 [HIGH] CWE-20 CVE-2004-1928: The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL.
nvd
CVE-2004-1925P3HIGHCVSS 7.5PoC≤ 1.8.1v1.6.12004-04-12
CVE-2004-1925 [HIGH] CWE-89 CVE-2004-1925: Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remo Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4) tiki-browse_categories.php, (5) tiki-index.php, (6) tiki-user_tasks.php, (7) tiki-direc
nvd
CVE-2007-6528P3MEDIUMCVSS 5.0PoC≤ 1.9.8v1.6.1+8 more2007-12-27
CVE-2007-6528 [MEDIUM] CWE-22 CVE-2007-6528: Directory traversal vulnerability in tiki-listmovies.php in TikiWiki before 1.9.9 allows remote atta Directory traversal vulnerability in tiki-listmovies.php in TikiWiki before 1.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) and modified filename in the movie parameter.
nvd
CVE-2004-1926P4HIGHCVSS 7.5PoC≤ 1.8.1v1.6.12004-04-11
CVE-2004-1926 [HIGH] CWE-94 CVE-2004-1926: Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a Directory/Add Site operation.
nvd
CVE-2020-29254P3HIGHCVSS 8.8v21.22020-12-11
CVE-2020-29254 [HIGH] CWE-352 CVE-2020-29254: TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthentic TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An
nvd
CVE-2004-1927P4MEDIUMCVSS 5.0PoC≤ 1.8.1v1.6.12004-04-11
CVE-2004-1927 [MEDIUM] CWE-22 CVE-2004-1927: Directory traversal vulnerability in the map feature (tiki-map.phtml) in Tiki CMS/Groupware (TikiWik Directory traversal vulnerability in the map feature (tiki-map.phtml) in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to determine the existence of arbitrary files via .. (dot dot) sequences in the mapfile parameter.
nvd
CVE-2018-20719P3HIGHCVSS 8.8fixed in 17.22019-01-15
CVE-2018-20719 [HIGH] CWE-89 CVE-2018-20719: In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_task In Tiki before 17.2, the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter.
nvd
CVE-2016-10143P3HIGHCVSS 7.5v15.22017-01-20
CVE-2016-10143 [HIGH] CWE-200 CVE-2016-10143: A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to read arbitrary files on a tar A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to read arbitrary files on a targeted system via a crafted pathname in a banner URL field.
nvd
CVE-2013-4715P3HIGHCVSS 7.5v6.8v6.9+15 more2013-11-06
CVE-2013-4715 [HIGH] CWE-89 CVE-2013-4715: SQL injection vulnerability in Tiki Wiki CMS Groupware 6 LTS before 6.13LTS, 9 LTS before 9.7LTS, 10 SQL injection vulnerability in Tiki Wiki CMS Groupware 6 LTS before 6.13LTS, 9 LTS before 9.7LTS, 10.x before 10.4, and 11.x before 11.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2009-1204P4MEDIUMCVSS 4.3PoCv2.22009-04-01
CVE-2009-1204 [MEDIUM] CWE-79 CVE-2009-1204: Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attacker Cross-site scripting (XSS) vulnerability in TikiWiki (Tiki) CMS/Groupware 2.2 allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to (1) tiki-galleries.php, (2) tiki-list_file_gallery.php, (3) tiki-listpages.php, and (4) tiki-orphan_pages.php.
nvd
Tiki Tikiwiki Cms Groupware vulnerabilities | cvebase