Primary

Context

Tiki CMS Reflected Cross-Site Scripting Vulnerability

Vulnerability

Patched

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Tiki CMS Groupware versions through 26.3. The issue resides in the 'page' parameter of the 'tiki-editpage.php' file. This vulnerability allows attackers to inject and execute arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking or unauthorized actions.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in another user's browser, which could be used to hijack their session or perform unauthorized actions on their behalf.

Reproduction

To reproduce this vulnerability, send a GET request to 'tiki-editpage.php' with a crafted 'page' parameter that includes JavaScript code, such as an 'onmouseover' event. The injected script will be executed when the page is loaded, demonstrating the XSS vulnerability.

Remediation

Users are advised to upgrade to Tiki CMS Groupware version 27.1 or later, as this vulnerability has been fixed in that release.

Added: Mar 23, 2026, 8:34 PM

Updated: Mar 23, 2026, 8:34 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

6.2

remediation

7.7

relevance

4.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

6.2

remediation

7.7

relevance

4.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tiki CMS Reflected Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Tiki CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating