漏洞标题
N/A
漏洞描述信息
Tikiwiki(也称为Tiki CMS/Groupware)1.9.x版本的多个跨站脚本(XSS)漏洞允许远程攻击者通过malformed的嵌套HTML标签,如"<scr<script>ipt>"在(a)tiki-lastchanges.php中的偏移量和(2)天参数,(b)tiki-orphan_pages.php中的查找和偏移量参数,(c)tiki-listpages.php中的偏移量和初始参数,以及(d)tiki-remind_password.php中的未知字段;允许具有管理员权限的远程登录用户通过(e)tiki-admin.php中的未指定字段,在(f)tiki-admin_rssmodules.php中的偏移量参数,(g)tiki-syslog.php中的偏移量和最大值参数,(h)tiki-adminusers.php中的numrows参数,(i)tiki-adminusers.php中的未知字段,(j)tiki-admin_hotwords.php中的未知字段,(15)"Assign new module"和(16)"Create new user module"中的未指定字段,(k)tiki-admin_modules.php中的未指定字段,(17)"Add notification"中的未指定字段,(l)tiki-admin_notifications.php中的未知字段,(18)tiki-admin_notifications.php中的偏移量参数,(m)tiki-admin_notifications.php中的未知字段,(19)tiki-admin_dsn.php中的名称和DSN字段,(20)tiki-admin_content_templates.php中的未指定字段,(21)tiki-admin_content_templates.php中的偏移量参数,(p)tiki-admin_content_templates.php中的未指定字段,(22)"Create new template"中的未指定字段,(q)tiki-admin_content_templates.php中的未指定字段,以及(r)tiki-admin_chat.php中的偏移量参数。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka Tiki CMS/Groupware) 1.9.x allow remote attackers to inject arbitrary web script or HTML via malformed nested HTML tags such as "<scr<script>ipt>" in (1) offset and (2) days parameters in (a) tiki-lastchanges.php, the (3) find and (4) offset parameters in (b) tiki-orphan_pages.php, the (5) offset and (6) initial parameters in (c) tiki-listpages.php, and (7) an unspecified field in (d) tiki-remind_password.php; and allow remote authenticated users with admin privileges to inject arbitrary web script or HTML via (8) an unspecified field in a metatags action in (e) tiki-admin.php, the (9) offset parameter in (f) tiki-admin_rssmodules.php, the (10) offset and (11) max parameters in (g) tiki-syslog.php, the (12) numrows parameter in (h) tiki-adminusers.php, (13) an unspecified field in (i) tiki-adminusers.php, (14) an unspecified field in (j) tiki-admin_hotwords.php, unspecified fields in (15) "Assign new module" and (16) "Create new user module" in (k) tiki-admin_modules.php, (17) an unspecified field in "Add notification" in (l) tiki-admin_notifications.php, (18) the offset parameter in (m) tiki-admin_notifications.php, the (19) Name and (20) Dsn fields in (o) tiki-admin_dsn.php, the (21) offset parameter in (p) tiki-admin_content_templates.php, (22) an unspecified field in "Create new template" in (q) tiki-admin_content_templates.php, and the (23) offset parameter in (r) tiki-admin_chat.php.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
TikiWiki 多个跨站脚本攻击漏洞
漏洞描述信息
Tikiwiki(又称 Tiki CMS/Groupware) 1.9.x中存在多个跨站脚本攻击(XSS)漏洞。 远程攻击者可以借助(a) tiki-lastchanges.php中的(1) offset 和(2) days 参数,(b) tiki-orphan_pages.php中的(3) find和(4) offset参数, (c) tiki-listpages.php中的(5) offset和(6) initial参数, 以及(d) tiki-remind_password.php中的(7)未明字段
CVSS信息
N/A
漏洞类别
跨站脚本