oss-sec mailing list archives
CSRF vulnerability in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS
From: chbi () chbi eu
Date: Thu, 28 Sep 2017 20:31:57 +0200
Hi, there are two security issues in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS (https://tiki.org) Cross-Site Request Forgery (CSRF) vulnerability via IMG tag allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with the IMG tag. Fix: https://sourceforge.net/p/tikiwiki/code/63829 Cross-Site Request Forgery (CSRF) vulnerability via IMG tag allows an authenticated user to edit global permissions if an administrator opens a wiki page with the IMG tag. For example, an attacker could assign administrator privileges to every unauthenticated user of the site. Fix: https://sourceforge.net/p/tikiwiki/code/63872 Both issues are fixed in Tiki 17.1, Tiki 16.3, Tiki 15.5 LTS and Tiki 12.12 LTS. https://tiki.org/article449-Security-and-bug-fix-updates-Tiki-17-1-Tiki-16-3-15-5-and-Tiki-12-12-released -- chbi https://chbi.eu GPG: 3DE9 9187 4BE9 EAE6 3CA8 DC20 BA7B 93F9 9037 AE7E https://chbi.eu/chbi.asc
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CSRF vulnerability in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS chbi (Sep 28)