'Re: [oss-security] CSRF vulnerability in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CSRF vulnerability in Tiki <= 17.0, 16.2, 15.4 LTS and 12.11 LTS
From:       chbi () chbi ! eu
Date:       2017-09-29 17:33:00
Message-ID: e2424550-ade1-e19a-bd1c-11ac7b30e0f0 () chbi ! eu
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


> Cross-Site Request Forgery (CSRF) vulnerability via IMG tag allows an
> authenticated user to gain administrator privileges if an administrator
> opens a wiki page with the IMG tag.
> 
> Fix:
> https://sourceforge.net/p/tikiwiki/code/63829

CVE-2017-14924 has been assigned.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14924


> Cross-Site Request Forgery (CSRF) vulnerability via IMG tag allows an
> authenticated user to edit global permissions if an administrator opens
> a wiki page with the IMG tag. For example, an attacker could assign
> administrator privileges to every unauthenticated user of the site.
> 
> Fix:
> https://sourceforge.net/p/tikiwiki/code/63872

CVE-2017-14925 has been assigned.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14925


-- 
chbi
https://chbi.eu

GPG: 3DE9 9187 4BE9 EAE6 3CA8  DC20 BA7B 93F9 9037 AE7E
     https://chbi.eu/chbi.asc


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic