TikiWiki 'show_errors' Parameter Stored Cross-Site Scripting Vulnerability Network Vulnerability

Summary

The host is running TikiWiki and is prone to stored cross site scripting vulnerabilitiy.

Impact

Successful exploitation will allow remote attackers to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade TikiWiki to 8.2 or 6.5 LTS or later, For updates refer to http://info.tiki.org/

Insight

The flaw is due to improper validation of user-supplied input to 'show_errors' paramter in 'tiki-cookie-jar.php', 'tiki-login.php' and 'tiki-remind_password.php' script, which allows attackers to conduct stored xss by sending a crafted request with JavaScript.

Affected

TikiWiki versions prior to 8.2 and 6.5 LTS.

References

http://downloads.securityfocus.com/vulnerabilities/exploits/51128.txt
http://info.tiki.org/tiki-view_articles.php?topic=1
http://packetstormsecurity.org/files/108036/INFOSERVE-ADV2011-07.txt

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4551

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

AMSI 'file' Parameter Directory Traversal Vulnerability
AlienForm CGI script
Apache Tomcat HTTP BIO Connector Information Disclosure Vulnerability
Apache Subversion Module Metadata Accessible
Apache Tiles Multiple XSS Vulnerability

Take action and discover your vulnerabilities