oss-sec mailing list archives
Stored XSS vulnerabilities in Tiki <= 18.1
From: chbi () chbi eu
Date: Thu, 2 Aug 2018 19:45:38 +0200
Hi, I've discovered four security issues in Tiki <= 18.1 (https://tiki.org) Four stored XSS vulnerabilities allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified link or thumb image. The issues are fixed in Tiki 18.2 and the fixes are backported to 12.14 and 15.7. Fixes: https://sourceforge.net/p/tikiwiki/code/66809 https://sourceforge.net/p/tikiwiki/code/66990 Timeline: 2018-06-15: Issues discovered and reported 2018-06-25: 3 of 4 issues fixed 2018-07-12: All 4 issues confirmed 2018-07-20: 4 of 4 issues fixed 2018-07-31: Tiki 18.2, 15.7 and 12.14 released I've requested a CVE ID (MITRE). -- chbi https://chbi.eu GPG: 3DE9 9187 4BE9 EAE6 3CA8 DC20 BA7B 93F9 9037 AE7E https://chbi.eu/chbi.asc
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Stored XSS vulnerabilities in Tiki <= 18.1 chbi (Aug 02)
- Re: Stored XSS vulnerabilities in Tiki <= 18.1 chbi (Aug 02)