oss-sec mailing list archives
CVE-2018-7290: Stored XSS vulnerability in Tiki <= 18
From: chbi () chbi eu
Date: Thu, 8 Mar 2018 19:37:19 +0100
Hi, I've discovered a security issue in Tiki <= 18 (https://tiki.org) A stored XSS vulnerability allows an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the mouse pointer over a modified external link, related to lib/parser/parserlib.php. The issue is fixed in Tiki 18.1 and was backported to 12.13, 15.6 and 17.2. Fix: https://sourceforge.net/p/tikiwiki/code/65537 Timeline: 2018-02-16: Issue discovered and reported 2018-02-19: Issue confirmed and fixed 2018-03-08: New Tiki version released -- chbi https://chbi.eu GPG: 3DE9 9187 4BE9 EAE6 3CA8 DC20 BA7B 93F9 9037 AE7E https://chbi.eu/chbi.asc
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2018-7290: Stored XSS vulnerability in Tiki <= 18 chbi (Mar 08)