What happened, Tiki-Wiki? XSS vulnerabilities, no thanks

Today’s post is a collaboration sent by the team of CSIRT-CV, the ICT Security Center of the Valencian Community, in relation to the detection of a vulnerability in the CMS Tiki-Wiki during last December.

A few months ago, in December 2019, the CSIRT-CV team discovered a vulnerability in the CMS Tiki-Wiki, a WordPress, Joomla or Drupal style content management system.

This vulnerability was published months later, in April 2020, with the code CVE-2020-8966, as can be seen on our alerts page, giving developers enough time to correct the problem detected in the application. All of this was channeled through INCIBE-CERT, which mediated with the developer company. Once corrected and published, and after the problems derived from the Covid-19, we have taken some time to go through its details.

During an penetration test carried out on an internal website using this CMS, several Reflected Cross-Site Scripting (XSS) vulnerabilities were detected on version 18.3, even though its exploitation was still effective on the last available version, v.20.0 at that time.

The XSS vulnerability allows code to be injected into a data entry field on a website: a search engine, a forum discussion field or a data collection form. The intention is to execute the injected code in the victim’s browser after they access the resource. This vulnerability can be persistent, when the injected code is stored on the site and executed in the browser of each user accessing the page, or reflected, when it is not stored but is embedded within the URL, and is sent to the victim to click on, such as an email, a social network link, etc.

[Read more…]