blob: 0cf8291c9cad866ea8c03974cc4ad9cc4e1ec0e8 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200510-23">
<title>TikiWiki: XSS vulnerability</title>
TikiWiki is vulnerable to cross-site scripting attacks.
<product type="ebuild">tikiwiki</product>
<announced>October 28, 2005</announced>
<revised>May 22, 2006: 02</revised>
<package name="www-apps/tikiwiki" auto="yes" arch="*">
<unaffected range="ge"></unaffected>
<vulnerable range="lt"></vulnerable>
TikiWiki is a web-based groupware and content management system (CMS),
using PHP, ADOdb and Smarty.
Due to improper input validation, TikiWiki can be exploited to perform
cross-site scripting attacks.
<impact type="low">
A remote attacker could exploit this to inject and execute malicious
script code or to steal cookie-based authentication credentials,
potentially compromising the victim's browser.
There is no known workaround at this time.
All TikiWiki users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=www-apps/tikiwiki-;</code>
Note: Users with the vhosts USE flag set should manually use
webapp-config to finalize the update.
<uri link="">CVE-2005-3283</uri>
<metadata tag="submitter" timestamp="Wed, 26 Oct 2005 19:43:33 +0000">
<metadata tag="bugReady" timestamp="Thu, 27 Oct 2005 18:43:45 +0000">