Cross-Site Request Forgery in Tiki by Tiki Software
CVE-2017-14924

8HIGH

Key Information:

Vendor

Tiki

Status
Tikiwiki Cms\/groupware
Vendor
CVE Published:
30 September 2017

What is CVE-2017-14924?

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Tiki software that could allow an authenticated user to escalate privileges to that of an administrator. This occurs when an administrator fails to properly validate requests made via an IMG element embedded in a malicious wiki page. If an administrator opens such a page, the vulnerability, tied to tiki-assignuser.php, can be exploited, compromising the security of the Tiki instance.

References

http://openwall.com/lists/oss-security/2017/09/28/13
x_refsource_MISC
https://tiki.org/article449-Security-and-bug-fix-updates-...
x_refsource_MISC
https://sourceforge.net/p/tikiwiki/code/63829
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2017-14924 : Cross-Site Request Forgery in Tiki by Tiki Software