CVE-2017-14924

HIGH

Tiki <16.3,17.x<17.1,12 LTS<12.12 LTS,15 LTS<15.5 LTS - CSRF

Title source: llm
STIX 2.1

Description

Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element, related to tiki-assignuser.php.

References (3)

Core 3
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2017/09/28/13
Patch, Third Party Advisory x_refsource_misc
https://sourceforge.net/p/tikiwiki/code/63829

Scores

CVSS v3 8.0
EPSS 0.0050
EPSS Percentile 38.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (21)
tiki/tikiwiki_cms\/groupware 12.0
tiki/tikiwiki_cms\/groupware 12.1
tiki/tikiwiki_cms\/groupware 12.2
tiki/tikiwiki_cms\/groupware 12.3
tiki/tikiwiki_cms\/groupware 12.4
tiki/tikiwiki_cms\/groupware 12.5
tiki/tikiwiki_cms\/groupware 12.6
tiki/tikiwiki_cms\/groupware 12.7
tiki/tikiwiki_cms\/groupware 12.8
tiki/tikiwiki_cms\/groupware 12.9
... and 11 more
Published Sep 30, 2017
Tracked Since Feb 18, 2026