Tiki

tiki

91 CVEs • 2 products

Products (2)

Click to collapse

Toggle

Tikiwiki Cms/groupware

tikiwiki_cms/groupware

CVEs (91)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-46879 1Tiki 1Tiki Apr 2, 2026 Mar 23, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a c...Show more A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.Show less
CVE-2024-46878 1Tiki 1Tiki Apr 2, 2026 Mar 23, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payloa...Show more A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.Show less
CVE-2025-34111 1Tiki 1Tikiwiki Cms/groupware Oct 3, 2025 Jul 15, 2025 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to u...Show more An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/.Show less
CVE-2024-51509 1Tiki 1Tiki Jun 3, 2025 Oct 28, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.
CVE-2024-51508 1Tiki 1Tiki Jun 3, 2025 Oct 28, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.
CVE-2024-51507 1Tiki 1Tiki Jun 3, 2025 Oct 28, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.
CVE-2024-51506 1Tiki 1Tiki Jun 3, 2025 Oct 28, 2024 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.
CVE-2023-22851 1Tiki 1Tiki Apr 4, 2025 Jan 14, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Tiki before 24.2 allows lib/importer/tikiimporter_blog_wordpress.php PHP Object Injection by an admin because of an unserialize call.
CVE-2023-22850 1Tiki 1Tiki Apr 7, 2025 Jan 14, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call.
CVE-2023-22853 1Tiki 1Tiki Apr 7, 2025 Jan 14, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval.
CVE-2023-22852 1Tiki 1Tiki Apr 7, 2025 Jan 14, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Tiki through 25.0 allows CSRF attacks that are related to tiki-importer.php and tiki-import_sheet.php.
CVE-2021-36551 1Tiki 1Tikiwiki Cms/groupware Nov 21, 2024 Oct 28, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload u...Show more TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-calendar.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module.Show less
CVE-2021-36550 1Tiki 1Tikiwiki Cms/groupware Nov 21, 2024 Oct 28, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted...Show more TikiWiki v21.4 was discovered to contain a cross-site scripting (XSS) vulnerability in the component tiki-browse_categories.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module.Show less
CVE-2020-29254 1Tiki 1Tikiwiki Cms/groupware Nov 21, 2024 Dec 11, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected...Show more TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.Show less
CVE-2020-15906 1Tiki 1Tiki Nov 21, 2024 Oct 22, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
CVE-2020-16131 1Tiki 1Tiki Nov 21, 2024 Aug 3, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Tiki before 21.2 allows XSS because [\s\/"\'] is not properly considered in lib/core/TikiFilter/PreventXss.php.
CVE-2020-8966 1Tiki 1Tikiwiki Cms/groupware Nov 21, 2024 Apr 1, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the...Show more There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page.Show less
CVE-2013-6022 1Tiki 1Tikiwiki Cms/groupware Nov 21, 2024 Feb 12, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Groupware 11.0 via the id paraZeroClipboard.swf, which could let a remote malicious user execute arbitrary code.
CVE-2011-4558 1Tiki 1Tiki Nov 21, 2024 Jan 27, 2020 N/A· v4 7.2 HIGH· v3 6.0 MEDIUM· v2 Tiki 8.2 and earlier allows remote administrators to execute arbitrary PHP code via crafted input to the regexres and regex parameters.
CVE-2011-4336 1Tiki 1Tikiwiki Cms/groupware Nov 21, 2024 Jan 15, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php.

12 3 4 5 Next