Cross Site Scripting (XSS) flaws found in Tiki-Wiki CMS software
Tiki Wiki CMS versions 20.0 and earlier.
INCIBE has coordinated the publication of a vulnerability in the Tiki Wiki content manager, with the code INCIBE-2020-0134, which has been discovered by Pablo Sebastián Arias Rodríguez, Rubén Barberà Pérez and Jorge Alberto Palma Reyes from S2Grupo at CSIRT-CV. Special thanks to the CSIRT-CV team (https://www.csirtcv.gva.es) composed by: Lourdes Herrero, Maite Moreno, José Vila, Adrián Antón, Adrián Capdevila, Aurora Villegas, Eva Lleonart, Fernando Cózar, Javier García, Manuel Rosa, Mario Ortiz, Mayte Aranda, Oscar Martínez, Sergio Hernández and Yolanda Olmedo who discovered a XSS flaws in Tiki-Wiki CMS software.
The vulnerability code CVE-2020-8966 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:H/RL:W/RC:C/CR:H/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:H/MI:N/MA:N)
Update to version 21.0.
Some php pages receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&". These characters could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS).
Timeline
27/11/2019 – Researchers disclosure.
04/02/2020 – Researchers contact with INCIBE.
21/02/2020 – Tiki-Wiki Security Team confirms the vulnerability to INCIBE.
28/02/2020 – Vendor confirms that the fix version and the release software patch have been published.INCIBE, researchers and Vendor analyse the fix and agree to disclosure the advisory on March 31th.
31/03/2020 – The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.