Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 8 Mar 2018 19:37:19 +0100
Subject: CVE-2018-7290: Stored XSS vulnerability in Tiki <= 18


I've discovered a security issue in Tiki <= 18 (

A stored XSS vulnerability allows an authenticated user injecting
JavaScript to gain administrator privileges if an administrator opens a
wiki page and moves the mouse pointer over a modified external link,
related to lib/parser/parserlib.php.

The issue is fixed in Tiki 18.1 and was backported to 12.13, 15.6 and 17.2.


2018-02-16: Issue discovered and reported
2018-02-19: Issue confirmed and fixed
2018-03-08: New Tiki version released


GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ