PT-2018-18011 · Tiki · Tiki

Pranav Jagtap

Published

2018-02-21

Updated

2020-08-24

CVE-2018-7304

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Tiki version 17.1

Description The issue allows for a CSV Injection attack due to a lack of validation for special characters in user input. This can lead to malicious activity, such as opening a CMD.EXE or Calculator window on the victim machine. For example, a payload like "=cmd|' /C calc'!A0" can be used during User Creation to exploit this issue.

Recommendations For Tiki version 17.1, update the software to a version that includes input validation for special characters to prevent CSV Injection attacks.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2018-7304

Affected Products

Tiki

PT-2018-18011 · Tiki · Tiki

CVE-2018-7304

Weakness Enumeration

Related Identifiers

Affected Products

References · 3