Multiple cross-site scripting (XSS) vulnerabilities in Tikiwiki (aka Tiki CMS/Groupware) 1.9.x allow remote attackers to inject arbitrary web script or HTML via malformed nested HTML tags such as "<scr<script>ipt>" in (1) offset and (2) days parameters in (a) tiki-lastchanges.php, the (3) find and (4) offset parameters in (b) tiki-orphan_pages.php, the (5) offset and (6) initial parameters in (c) tiki-listpages.php, and (7) an unspecified field in (d) tiki-remind_password.php; and allow remote authenticated users with admin privileges to inject arbitrary web script or HTML via (8) an unspecified field in a metatags action in (e) tiki-admin.php, the (9) offset parameter in (f) tiki-admin_rssmodules.php, the (10) offset and (11) max parameters in (g) tiki-syslog.php, the (12) numrows parameter in (h) tiki-adminusers.php, (13) an unspecified field in (i) tiki-adminusers.php, (14) an unspecified field in (j) tiki-admin_hotwords.php, unspecified fields in (15) "Assign new module" and (16) "Create new user module" in (k) tiki-admin_modules.php, (17) an unspecified field in "Add notification" in (l) tiki-admin_notifications.php, (18) the offset parameter in (m) tiki-admin_notifications.php, the (19) Name and (20) Dsn fields in (o) tiki-admin_dsn.php, the (21) offset parameter in (p) tiki-admin_content_templates.php, (22) an unspecified field in "Create new template" in (q) tiki-admin_content_templates.php, and the (23) offset parameter in (r) tiki-admin_chat.php.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.11904.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Tiki Subscribe
Tikiwiki Cms\/groupware Subscribe

Configuration 1 [-]

OR cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.0:rc1:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.0:rc2:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.0:rc3:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.1:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.2:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.3:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.3.1:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.3.2:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.4:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.5:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.6:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.7:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.8:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.8.1:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.9:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.10:*:*:*:*:*:*:*
cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.11:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://secunia.com/advisories/20334 cve-icon cve-icon
http://securityreason.com/securityalert/976 cve-icon cve-icon
http://tikiwiki.org/tiki-read_article.php?articleId=131 cve-icon cve-icon
http://www.osvdb.org/26048 cve-icon cve-icon
http://www.osvdb.org/26049 cve-icon cve-icon
http://www.osvdb.org/26050 cve-icon cve-icon
http://www.osvdb.org/26051 cve-icon cve-icon
http://www.osvdb.org/26052 cve-icon cve-icon
http://www.osvdb.org/26053 cve-icon cve-icon
http://www.osvdb.org/26054 cve-icon cve-icon
http://www.osvdb.org/26055 cve-icon cve-icon
http://www.osvdb.org/26056 cve-icon cve-icon
http://www.osvdb.org/26057 cve-icon cve-icon
http://www.osvdb.org/26058 cve-icon cve-icon
http://www.osvdb.org/26059 cve-icon cve-icon
http://www.osvdb.org/26060 cve-icon cve-icon
http://www.osvdb.org/26061 cve-icon cve-icon
http://www.osvdb.org/26062 cve-icon cve-icon
http://www.securityfocus.com/archive/1/435127/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/archive/1/436432/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/bid/18143 cve-icon cve-icon
http://www.vupen.com/english/advisories/2006/2024 cve-icon cve-icon
History

No history.

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-07T17:58:51.547Z

Reserved: 2006-05-30T00:00:00

Link: CVE-2006-2635

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2006-05-30T10:02:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2006-2635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses