CVE-2017-14925

HIGH

Tiki <16.3, 17.x <17.1, 12 LTS <12.12 LTS, 15 LTS <15.5 LTS - CSRF

Title source: llm
STIX 2.1

Description

Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related to tiki-objectpermissions.php. For example, an attacker could assign administrator privileges to every unauthenticated user of the site.

References (3)

Core 3
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2017/09/28/13
Patch, Third Party Advisory x_refsource_misc
https://sourceforge.net/p/tikiwiki/code/63872

Scores

CVSS v3 8.0
EPSS 0.0051
EPSS Percentile 39.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (21)
tiki/tikiwiki_cms\/groupware 12.0
tiki/tikiwiki_cms\/groupware 12.1
tiki/tikiwiki_cms\/groupware 12.2
tiki/tikiwiki_cms\/groupware 12.3
tiki/tikiwiki_cms\/groupware 12.4
tiki/tikiwiki_cms\/groupware 12.5
tiki/tikiwiki_cms\/groupware 12.6
tiki/tikiwiki_cms\/groupware 12.7
tiki/tikiwiki_cms\/groupware 12.8
tiki/tikiwiki_cms\/groupware 12.9
... and 11 more
Published Sep 30, 2017
Tracked Since Feb 18, 2026