Description

Unauthenticated users can upload and execute arbitrary code due to a vulnerability in a preinstalled third-party component ("ELFinder"). An unauthenticated user can upload and PHP file with arbitrary code and execute it with the permissions of the web server user.

Remediation

Upgrade Tiki Wiki CMS to version 12.9, 14.4, 15.2 or above (recommended)

References

Tiki Wiki Announcement (2016-07-08)

Related Vulnerabilities

WordPress Plugin ApplyOnline-Application Form Builder and Manager Arbitrary File Disclosure (1.9.92)

WordPress readme.html file

WordPress Plugin Simple History Information Disclosure (2.7.4)

Drupal Core 8.x.x Information Disclosure (8.0.0 - 8.7.14)

WordPress Plugin Social Discussions Remote File Include and Information Disclosure Vulnerabilities (6.1.1)

Severity

High

Classification

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Information Disclosure Code Execution