Total
29 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-9325 | 1 Twiki | 1 Twiki | 2015-01-02 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRING variable in lib/TWiki/UI/View.pm, as demonstrated by the QUERY_STRING to do/view/Main/TWikiPreferences. | |||||
| CVE-2014-9367 | 1 Twiki | 1 Twiki | 2015-01-02 | 4.3 MEDIUM | N/A |
| Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting (XSS) attacks via a "'" (single quote) in the scope parameter to do/view/TWiki/WebSearch. | |||||
| CVE-2011-3010 | 1 Twiki | 1 Twiki | 2012-05-17 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in TWiki before 5.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the newtopic parameter in a WebCreateNewTopic action, related to the TWiki.WebCreateNewTopicTemplate topic; or (2) the query string to SlideShow.pm in the SlideShowPlugin. | |||||
| CVE-2006-4294 | 1 Twiki | 1 Twiki | 2011-03-07 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in viewfile in TWiki 4.0.0 through 4.0.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter. | |||||
| CVE-2006-3336 | 1 Twiki | 1 Twiki | 2011-03-07 | 4.0 MEDIUM | N/A |
| TWiki 01-Dec-2000 up to 4.0.3 allows remote attackers to bypass the upload filter and execute arbitrary code via filenames with double extensions such as ".php.en", ".php.1", and other allowed extensions that are not .txt. NOTE: this is only a vulnerability when the server allows script execution in the pub directory. | |||||
| CVE-2009-4898 | 1 Twiki | 1 Twiki | 2010-11-11 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 allows remote attackers to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the ACTION attribute of a FORM element, in conjunction with a call to the submit method in the onload attribute of a BODY element. NOTE: this issue exists because of an insufficient fix for CVE-2009-1339. | |||||
| CVE-2008-5305 | 1 Twiki | 1 Twiki | 2009-03-02 | 10.0 HIGH | N/A |
| Eval injection vulnerability in TWiki before 4.2.4 allows remote attackers to execute arbitrary Perl code via the %SEARCH{}% variable. | |||||
| CVE-2007-5193 | 2 Debian, Twiki | 2 Debian Linux, Twiki | 2008-11-14 | 5.0 MEDIUM | N/A |
| The default configuration for twiki 4.1.2 on Debian GNU/Linux, and possibly other operating systems, specifies the work area directory (cfg{RCS}{WorkAreaDir}) under the web document root, which might allow remote attackers to obtain sensitive information when .htaccess restrictions are not applied. | |||||
| CVE-2008-4998 | 1 Twiki | 1 Twiki | 2008-11-09 | 6.9 MEDIUM | N/A |
| ** DISPUTED ** postinst in twiki 4.1.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/twiki temporary file. NOTE: the vendor disputes this vulnerability, stating "this bug is invalid." | |||||