Summary
Tiki Wiki CMS Groupware is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie- based authentication credentials and launch other attacks.
Tiki Wiki CMS Groupware 5.2 is vulnerable
other versions may also
be affected.
References
Severity
Classification
-
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
- AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities
- Apache mod_proxy_ftp Wildcard Characters XSS Vulnerability
- Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability
- Afian 'includer.php' Directory Traversal Vulnerability