CVE-2006-2635 Information

Feb 14, 2021 cve

Description

Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka Tiki CMS/Groupware) 1.9.x allow remote attackers to inject arbitrary web script or HTML via malformed nested HTML tags such as \scrscriptipt\ in (1) offset and (2) days parameters in (a) tiki-lastchanges.php the (3) find and (4) offset parameters in (b) tiki-orphan_pages.php the (5) offset and (6) initial parameters in (c) tiki-listpages.php and (7) an unspecified field in (d) tiki-remind_password.php; and allow remote authenticated users with admin privileges to inject arbitrary web script or HTML via (8) an unspecified field in a metatags action in (e) tiki-admin.php the (9) offset parameter in (f) tiki-admin_rssmodules.php the (10) offset and (11) max parameters in (g) tiki-syslog.php the (12) numrows parameter in (h) tiki-adminusers.php (13) an unspecified field in (i) tiki-adminusers.php (14) an unspecified field in (j) tiki-admin_hotwords.php unspecified fields in (15) \Assign new module\ and (16) \Create new user module\ in (k) tiki-admin_modules.php (17) an unspecified field in \Add notification\ in (l) tiki-admin_notifications.php (18) the offset parameter in (m) tiki-admin_notifications.php the (19) Name and (20) Dsn fields in (o) tiki-admin_dsn.php the (21) offset parameter in (p) tiki-admin_content_templates.php (22) an unspecified field in \Create new template\ in (q) tiki-admin_content_templates.php and the (23) offset parameter in (r) tiki-admin_chat.php.

Reference

Share on: