cbcvebase.

Tiki Tikiwiki Cms Groupware vulnerabilities

72 known vulnerabilities affecting tiki/tikiwiki_cms_groupware.

Total CVEs
72
CISA KEV
0
Public exploits
22
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH25MEDIUM42

Vulnerabilities

Page 2 of 4
CVE-2012-3996P4MEDIUMCVSS 5.0PoC≤ 8.2v2.2+22 more2012-07-12
CVE-2012-3996 [MEDIUM] CWE-200 CVE-2012-3996: TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a direct request to (1) admin/include_calendar.php, (2) tiki-rss_error.php, or (3) tiki-watershed_service.php.
nvd
CVE-2010-1135P3HIGHCVSS 7.5v4.0v4.12010-03-27
CVE-2010-1135 [HIGH] CWE-255 CVE-2010-1135: The user_logout function in TikiWiki CMS/Groupware 4.x before 4.2 does not properly delete user logi The user_logout function in TikiWiki CMS/Groupware 4.x before 4.2 does not properly delete user login cookies, which allows remote attackers to gain access via cookie reuse.
nvd
CVE-2004-1923P4MEDIUMCVSS 5.0PoC≤ 1.8.1v1.6.12004-04-11
CVE-2004-1923 [MEDIUM] CWE-200 CVE-2004-1923: Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to gain sensitive informatio Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to gain sensitive information via a direct request to (1) banner_click.php, (2) categorize.php, (3) tiki-admin_include_directory.php, (4) tiki-directory_search.php, which reveal the web server path in an error message.
nvd
CVE-2010-1136P3HIGHCVSS 7.5v3.0v3.1+3 more2010-03-27
CVE-2010-1136 [HIGH] CWE-264 CVE-2010-1136: The Standard Remember method in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to byp The Standard Remember method in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to bypass access restrictions related to "persistent login," probably due to the generation of predictable cookies based on the IP address and User agent in userslib.php.
nvd
CVE-2006-2635P4MEDIUMCVSS 4.3PoCv1.9.0v1.9.1+13 more2006-05-30
CVE-2006-2635 [MEDIUM] CWE-79 CVE-2006-2635: Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka Tiki CMS/Groupware) 1.9.x allow Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka Tiki CMS/Groupware) 1.9.x allow remote attackers to inject arbitrary web script or HTML via malformed nested HTML tags such as "ipt>" in (1) offset and (2) days parameters in (a) tiki-lastchanges.php, the (3) find and (4) offset parameters in (b) tiki-orphan_pages.php, the (5) offset
nvd
CVE-2004-1924P4MEDIUMCVSS 4.3PoC≤ 1.8.1v1.6.12004-04-11
CVE-2004-1924 [MEDIUM] CWE-79 CVE-2004-1924: Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earli Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php, (3) flag, priority, flagval, sort_mode, or find parameters to messu-read.php
nvd
CVE-2011-4551P4MEDIUMCVSS 4.3PoC≤ 8.1v2.2+22 more2012-10-01
CVE-2011-4551 [MEDIUM] CWE-79 CVE-2011-4551: Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 Cross-site scripting (XSS) vulnerability in tiki-cookie-jar.php in TikiWiki CMS/Groupware before 8.2 and LTS before 6.5 allows remote attackers to inject arbitrary web script or HTML via arbitrary parameters.
nvd
CVE-2003-1574P3HIGHCVSS 7.5v1.6.12009-08-24
CVE-2003-1574 [HIGH] CWE-287 CVE-2003-1574: TikiWiki 1.6.1 allows remote attackers to bypass authentication by entering a valid username with an TikiWiki 1.6.1 allows remote attackers to bypass authentication by entering a valid username with an arbitrary password, possibly related to the Internet Explorer "Remember Me" feature. NOTE: some of these details are obtained from third party information.
nvd
CVE-2010-1133P3HIGHCVSS 7.5v4.0v4.12010-03-27
CVE-2010-1133 [HIGH] CWE-89 CVE-2010-1133: Multiple SQL injection vulnerabilities in TikiWiki CMS/Groupware 4.x before 4.2 allow remote attacke Multiple SQL injection vulnerabilities in TikiWiki CMS/Groupware 4.x before 4.2 allow remote attackers to execute arbitrary SQL commands via unspecified vectors, probably related to (1) tiki-searchindex.php and (2) tiki-searchresults.php.
nvd
CVE-2010-1134P3HIGHCVSS 7.5v3.0v3.1+3 more2010-03-27
CVE-2010-1134 [HIGH] CWE-89 CVE-2010-1134: SQL injection vulnerability in the _find function in searchlib.php in TikiWiki CMS/Groupware 3.x bef SQL injection vulnerability in the _find function in searchlib.php in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to execute arbitrary SQL commands via the $searchDate variable.
nvd
CVE-2007-5682P3HIGHCVSS 7.5≤ 1.9.8v1.6.1+8 more2007-10-26
CVE-2007-5682 [HIGH] CVE-2007-5682: Incomplete blacklist vulnerability in tiki-graph_formula.php in TikiWiki before 1.9.8.2 allows remot Incomplete blacklist vulnerability in tiki-graph_formula.php in TikiWiki before 1.9.8.2 allows remote attackers to execute arbitrary code by using variable functions and variable variables to write variables whose names match the whitelist, a different vulnerability than CVE-2007-5423.
nvd
CVE-2006-4734P3HIGHCVSS 7.5v1.9.42006-09-13
CVE-2006-4734 [HIGH] CWE-89 CVE-2006-4734: Multiple SQL injection vulnerabilities in tiki-g-admin_processes.php in Tikiwiki 1.9.4 allow remote Multiple SQL injection vulnerabilities in tiki-g-admin_processes.php in Tikiwiki 1.9.4 allow remote attackers to execute arbitrary SQL commands via the (1) pid and (2) where parameters.
nvd
CVE-2005-0200P3HIGHCVSS 7.5≤ 1.6.12005-05-02
CVE-2005-0200 [HIGH] CVE-2005-0200: TikiWiki before 1.8.5 does not properly validate files that have been uploaded to the temp directory TikiWiki before 1.8.5 does not properly validate files that have been uploaded to the temp directory, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2004-1386.
nvd
CVE-2017-14925P3HIGHCVSS 8.0v12.0v12.1+19 more2017-09-30
CVE-2017-14925 [HIGH] CWE-352 CVE-2017-14925: Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17. Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related to tiki-objectpermissions.php. For example, an attacker could assign admini
nvd
CVE-2006-5703P4MEDIUMCVSS 4.3PoCv1.9.52006-11-04
CVE-2006-5703 [MEDIUM] CWE-79 CVE-2006-5703: Cross-site scripting (XSS) vulnerability in tiki-featured_link.php in Tikiwiki 1.9.5 allows remote a Cross-site scripting (XSS) vulnerability in tiki-featured_link.php in Tikiwiki 1.9.5 allows remote attackers to inject arbitrary web script or HTML via a url parameter that evades filtering, as demonstrated by a parameter value containing malformed, nested SCRIPT elements.
nvd
CVE-2006-3048P3HIGHCVSS 7.5≤ 1.9.3.1v1.9.0+3 more2006-06-16
CVE-2006-3048 [HIGH] CWE-89 CVE-2006-3048: SQL injection vulnerability in TikiWiki 1.9.3.2 and possibly earlier versions allows remote attacker SQL injection vulnerability in TikiWiki 1.9.3.2 and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.
nvd
CVE-2004-1386P4HIGHCVSS 7.5≤ 1.6.12004-12-31
CVE-2004-1386 [HIGH] CWE-20 CVE-2004-1386: TikiWiki before 1.8.4.1 does not properly verify uploaded images, which could allow remote attackers TikiWiki before 1.8.4.1 does not properly verify uploaded images, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2005-0200.
nvd
CVE-2017-14924P4HIGHCVSS 8.0v12.0v12.1+19 more2017-09-30
CVE-2017-14924 [HIGH] CWE-352 CVE-2017-14924: Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17. Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element, related to tiki-assignuser.php.
nvd
CVE-2007-6529P4CRITICALCVSS 10.0≤ 1.9.8v1.6.1+8 more2007-12-27
CVE-2007-6529 [CRITICAL] CVE-2007-6529: Multiple unspecified vulnerabilities in TikiWiki before 1.9.9 have unknown impact and attack vectors Multiple unspecified vulnerabilities in TikiWiki before 1.9.9 have unknown impact and attack vectors involving (1) tiki-edit_css.php, (2) tiki-list_games.php, or (3) tiki-g-admin_shared_source.php.
nvd
CVE-2006-6168P4HIGHCVSS 7.5≤ 1.9.6v1.6.1+6 more2006-11-29
CVE-2006-6168 [HIGH] CWE-20 CVE-2006-6168: tiki-register.php in TikiWiki before 1.9.7 allows remote attackers to trigger "notification-spam" vi tiki-register.php in TikiWiki before 1.9.7 allows remote attackers to trigger "notification-spam" via certain vectors such as a comma-separated list of addresses in the email field, related to lack of "a minimal check on email."
nvd
Tiki Tikiwiki Cms Groupware vulnerabilities | cvebase