Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 20:31:57 +0200
From: chbi@...i.eu
To: oss-security@...ts.openwall.com
Subject: CSRF vulnerability in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS

Hi,

there are two security issues in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11
LTS (https://tiki.org)


Cross-Site Request Forgery (CSRF) vulnerability via IMG tag allows an
authenticated user to gain administrator privileges if an administrator
opens a wiki page with the IMG tag.

Fix:
https://sourceforge.net/p/tikiwiki/code/63829


Cross-Site Request Forgery (CSRF) vulnerability via IMG tag allows an
authenticated user to edit global permissions if an administrator opens
a wiki page with the IMG tag. For example, an attacker could assign
administrator privileges to every unauthenticated user of the site.

Fix:
https://sourceforge.net/p/tikiwiki/code/63872


Both issues are fixed in Tiki 17.1, Tiki 16.3, Tiki 15.5 LTS and Tiki
12.12 LTS.

https://tiki.org/article449-Security-and-bug-fix-updates-Tiki-17-1-Tiki-16-3-15-5-and-Tiki-12-12-released


-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ