CVE-2019-15314

Name of the Vulnerable Software and Affected Versions Tiki version 18.4

Description The issue allows remote attackers to upload JavaScript code, which is then executed when visiting a specific URI, such as "tiki/tiki-download file.php?display&fileId=".

Recommendations For version 18.4, consider restricting access to the tiki-upload file.php and tiki-download file.php scripts until a patch is available. As a temporary workaround, avoid using the fileId parameter in the tiki/tiki-download file.php endpoint to minimize the risk of exploitation.