Tiki CMS Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Tiki CMS Groupware versions prior to 21.11. The issue resides in the 'zipPath' parameter of the 'tiki-admin_system.php' file. This vulnerability allows attackers to execute arbitrary JavaScript by injecting a crafted payload, which could lead to unauthorized actions or access to sensitive information.

Impact

Exploitation of this vulnerability allows an authenticated attacker to execute arbitrary JavaScript in the context of another user's browser, potentially hijacking their session or performing unauthorized actions on their behalf.

Reproduction

To reproduce this vulnerability, send a POST request to 'tiki-admin_system.php' with a crafted 'zipPath' parameter that includes JavaScript payload. The injected script will be executed in the victim's browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to Tiki CMS Groupware version 21.11 or later. Tiki 21.x will enter end of life in March 2025, after which it will no longer receive security fixes, so users should consider upgrading to Tiki 24.7 or Tiki 27.1.