CVE-2018-7302

Name of the Vulnerable Software and Affected Versions Tiki version 17.1

Description The issue allows the upload of a .PNG file that actually contains SVG content, leading to a cross-site scripting (XSS) issue. This occurs because the software does not properly validate the content of uploaded files.

Recommendations For Tiki version 17.1, consider disabling the image upload feature until a patch is available to prevent the upload of malicious files. Restrict access to the file upload module to minimize the risk of exploitation. Avoid using the image upload feature in sensitive areas of the application until the issue is resolved.