Ubuntu
tikiwiki package

  1. Bug #163833
  2. Comment #8

Comment 8 for bug 163833

Revision history for this message
Stephan RĂ¼gamer (sruegamer) wrote :

tikiwiki (1.9.7+dfsg-1ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: (LP: #163833)
    + CVE-2007-4554: Cross-site scripting (XSS) vulnerability in
      tiki-remind_password.php in Tikiwiki (aka Tiki CMS/Groupware) 1.9.7 allows
      remote attackers to inject arbitrary web script or HTML via the username
      parameter. NOTE: this issue might be related to CVE-2006-2635.7.
    + CVE-2007-5423: Eval injection vulnerability in tiki-graph_formula.php in
      TikiWiki 1.9.8 allows remote attackers to execute arbitrary code via PHP
      sequences in the f array parameter.
    + CVE-2007-5682: Unspecified vulnerability in tiki-graph_formula.php in
      TikiWiki before 1.9.8.2 has unknown impact and attack vectors, a different
      vulnerability than CVE-2007-5423.
  * debian/patches/90_CVE-2007-4554.dpatch:
    - Applied patch by upstream
  * debian/patches/90_CVE-2007-5423_CVE-2007-5682.dpatch:
    - Applied patch by upstream
  * References:
    CVE-2007-4554
    CVE-2007-5423
    CVE-2007-5682

 -- Stephan Hermann <email address hidden> Mon, 26 Nov 2007 15:34:47 +0100