CVE-2012-3996

Tikiwiki Cms/groupware < 8.2 - Information Disclosure

Title source: rule

Description

TikiWiki CMS/Groupware 8.3 and earlier allows remote attackers to obtain the installation path via a direct request to (1) admin/include_calendar.php, (2) tiki-rss_error.php, or (3) tiki-watershed_service.php.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappsphp

https://www.exploit-db.com/exploits/19630

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by EgiX · phpwebappsphp

https://www.exploit-db.com/exploits/19573

View Code ZIP pw:eip

References (7)

[Exploit] http://archives.neohapsis.com/archives/bugtraq/2012-07/0020.html

[Patch] http://dev.tiki.org/item4109

[Patch] http://info.tiki.org/article190-Tiki-Wiki-CMS-Groupware-Updates-Tiki-6-7-LTS

[Patch] http://info.tiki.org/article191-Tiki-Releases-8-4

[Exploit] http://www.exploit-db.com/exploits/19573

[Exploit] http://www.exploit-db.com/exploits/19630

[Third Party Advisory, VDB Entry] http://www.osvdb.org/83533

Scores

EPSS 0.1625

EPSS Percentile 94.8%

Details

CWE

CWE-200

Status published

Products (24)

tiki/tikiwiki_cms\/groupware 2.2

tiki/tikiwiki_cms\/groupware 3.0

tiki/tikiwiki_cms\/groupware 3.1

tiki/tikiwiki_cms\/groupware 3.2

tiki/tikiwiki_cms\/groupware 3.3

tiki/tikiwiki_cms\/groupware 3.4

tiki/tikiwiki_cms\/groupware 3.5

tiki/tikiwiki_cms\/groupware 4

tiki/tikiwiki_cms\/groupware 4.0

tiki/tikiwiki_cms\/groupware 4.1

... and 14 more

Published Jul 12, 2012

Tracked Since Feb 18, 2026