Cross-Site Request Forgery in TikiWiki by Tiki Software
CVE-2020-29254

8.8HIGH

Key Information:

Vendor

Tiki

Status
Tikiwiki Cms\/groupware
Vendor
CVE Published:
11 December 2020

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2020-29254?

TikiWiki version 21.2 has a security flaw that allows templates to be modified without adequate CSRF protections. This vulnerability can be exploited by an unauthenticated, remote actor to carry out unauthorized actions on the system. Essentially, if a user with editing permissions is tricked into visiting a malicious link, they could inadvertently execute arbitrary commands within TikiWiki, including the submission of unexpected code. This compromise poses a significant risk to the security and integrity of user data and system functionality.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-29254
Created by S1lkys

References

https://youtu.be/Uc3sRBitu50
x_refsource_MISC
https://github.com/S1lkys/CVE-2020-29254
x_refsource_MISC
https://github.com/S1lkys/CVE-2020-29254/blob/main/Tiki-W...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability Reserved

.