CVE-2020-29254

Name of the Vulnerable Software and Affected Versions TikiWiki version 21.2

Description The issue is due to insufficient CSRF protections for the web-based management interface, allowing an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. This could enable the attacker to perform arbitrary actions on an affected system with the privileges of the user. The vulnerability can be exploited by persuading a user of the interface to follow a maliciously crafted link. If an authenticated user who is able to edit TikiWiki templates visits a malicious website, template code can be edited, potentially resulting in local file inclusion.

Recommendations For TikiWiki version 21.2, consider implementing additional CSRF protections for the web-based management interface to prevent cross-site request forgery attacks. As a temporary workaround, restrict access to template editing features for authenticated users to minimize the risk of exploitation. Avoid allowing authenticated users to visit potentially malicious websites while logged into the TikiWiki interface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.