CVE-2017-14924
HIGHTiki <16.3,17.x<17.1,12 LTS<12.12 LTS,15 LTS<15.5 LTS - CSRF
Title source: llmDescription
Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element, related to tiki-assignuser.php.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2017/09/28/13
Patch, Release Notes, Vendor Advisory x_refsource_misc
https://tiki.org/article449-Security-and-bug-fix-updates-Tiki-17-1-Tiki-16-3-15-5-and-Tiki-12-12-released
Patch, Third Party Advisory x_refsource_misc
https://sourceforge.net/p/tikiwiki/code/63829
Scores
CVSS v3
8.0
EPSS
0.0050
EPSS Percentile
38.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (21)
tiki/tikiwiki_cms\/groupware
12.0
tiki/tikiwiki_cms\/groupware
12.1
tiki/tikiwiki_cms\/groupware
12.2
tiki/tikiwiki_cms\/groupware
12.3
tiki/tikiwiki_cms\/groupware
12.4
tiki/tikiwiki_cms\/groupware
12.5
tiki/tikiwiki_cms\/groupware
12.6
tiki/tikiwiki_cms\/groupware
12.7
tiki/tikiwiki_cms\/groupware
12.8
tiki/tikiwiki_cms\/groupware
12.9
... and 11 more
Published
Sep 30, 2017
Tracked Since
Feb 18, 2026