CVE-2009-1204

Name of the Vulnerable Software and Affected Versions TikiWiki (Tiki) CMS/Groupware version 2.2

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the PHP SELF portion of a URI to several endpoints, including "tiki-galleries.php", "tiki-list file gallery.php", "tiki-listpages.php", and "tiki-orphan pages.php".

Recommendations For TikiWiki (Tiki) CMS/Groupware version 2.2, consider restricting access to the affected endpoints as a temporary workaround until a patch is available. Avoid using the PHP SELF portion of a URI in these endpoints to minimize the risk of exploitation.