oss-sec mailing list archives

Re: CSRF vulnerability in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS

From: chbi () chbi eu
Date: Fri, 29 Sep 2017 19:33:00 +0200

Cross-Site Request Forgery (CSRF) vulnerability via IMG tag allows an
authenticated user to gain administrator privileges if an administrator
opens a wiki page with the IMG tag.

Fix:
https://sourceforge.net/p/tikiwiki/code/63829


CVE-2017-14924 has been assigned.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14924

Cross-Site Request Forgery (CSRF) vulnerability via IMG tag allows an
authenticated user to edit global permissions if an administrator opens
a wiki page with the IMG tag. For example, an attacker could assign
administrator privileges to every unauthenticated user of the site.

Fix:
https://sourceforge.net/p/tikiwiki/code/63872


CVE-2017-14925 has been assigned.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14925


-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CSRF vulnerability in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS chbi (Sep 28)
- Re: CSRF vulnerability in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS chbi (Sep 28)
- Re: CSRF vulnerability in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS chbi (Sep 29)