CVE-2017-14924

moderate-risk

Published 2017-09-30

Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element, related to tiki-assignuser.php.

Do I need to act?

-

0.22% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

8

CVSS 8.0/10 High

NETWORK / LOW complexity

Affected Products (20)

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Tikiwiki Cms\/Groupware

Affected Vendors

Tiki

References (6)

Mailing List http://openwall.com/lists/oss-security/2017/09/28/13

Patch https://sourceforge.net/p/tikiwiki/code/63829

Patch https://tiki.org/article449-Security-and-bug-fix-updates-Tiki-17-1-Tiki-16-3-15-...

Mailing List http://openwall.com/lists/oss-security/2017/09/28/13

Patch https://sourceforge.net/p/tikiwiki/code/63829

Patch https://tiki.org/article449-Security-and-bug-fix-updates-Tiki-17-1-Tiki-16-3-15-...

49

/ 100

moderate-risk

Severity 28/34 · Critical

Exploitability 1/34 · Minimal

Exposure 20/34 · Moderate