Description
lib/core/TikiFilter/PreventXss.php in Tiki Wiki CMS Groupware 16.2 allows remote attackers to bypass the XSS filter via padded zero characters, as demonstrated by an attack on tiki-batch_send_newsletter.php.
References (2)
Core 2
Core References
Patch, Vendor Advisory x_refsource_misc
https://github.com/tikiorg/tiki/commit/6c016e8f066d2f404b18eaa1af7fa0c7a9651ccd
Exploit, Third Party Advisory x_refsource_misc
https://www.cdxy.me/?p=763
Scores
CVSS v3
6.1
EPSS
0.0087
EPSS Percentile
54.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
tiki/tikiwiki_cms\/groupware
16.2
Published
May 31, 2017
Tracked Since
Feb 18, 2026