CVE-2019-15314

1. CVE-2019-15314
2.  
3. > [Description]
4. > tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to
5. > upload JavaScript code that is executed upon visiting a
6. > tiki/tiki-download_file.php?display&fileId= URI.
7. >
8. > ------------------------------------------
9. >
10. > [Additional Information]
11. > File upload and JavaScript code injection.
12. > http://127.0.0.1/tiki/tiki-upload_file.php
13. >
14. > The TikiWiki CMS application allows you to upload a JavaScript file in the "File Upload" module.
15. > When viewing the uploaded file, the JavaScript code runs in the client browser.
16. >
17. > The injected JavaScript code is stored by the application and executed every time someone views it.
18. > ["Browser display (Raw / Download)"]
19. > http://127.0.0.1/tiki/tiki-download_file.php?fileId=17&display
20. >
21. > ------------------------------------------
22. >
23. > [Vulnerability Type]
24. > Cross Site Scripting (XSS)
25. >
26. > ------------------------------------------
27. >
28. > [Vendor of Product]
29. > https://tiki.org/HomePage
30. >
31. > ------------------------------------------
32. >
33. > [Affected Product Code Base]
34. > Tiki Wiki CMS - 18.4
35. >
36. > ------------------------------------------
37. >
38. > [Affected Component]
39. > Affected component: tiki-upload_file.php
40. >
41. > ------------------------------------------
42. >
43. > [Attack Type]
44. > Remote
45. >
46. > ------------------------------------------
47. >
48. > [Impact Code execution]
49. > true
50. >
51. > ------------------------------------------
52. >
53. > [Attack Vectors]
54. > Client side JavaScript code injection.
55. >
56. > ------------------------------------------
57. >
58. > [Reference]
59. > https://tiki.org/HomePage
60.  
61. Use CVE-2019-15314.