Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Twiki
(Twiki)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 29 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2008-11-07 | CVE-2008-4998 | postinst in twiki 4.1.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/twiki temporary file. NOTE: the vendor disputes this vulnerability, stating "this bug is invalid. | Twiki | N/A | ||
| 2020-02-17 | CVE-2014-7236 | Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome. | Twiki | N/A | ||
| 2019-11-07 | CVE-2013-1751 | TWiki before 5.1.4 allows remote attackers to execute arbitrary shell commands by sending a crafted '%MAKETEXT{}%' parameter value containing Perl backtick characters. | Twiki | N/A | ||
| 2019-11-01 | CVE-2005-3056 | TWiki allows arbitrary shell command execution via the Include function | Twiki | N/A | ||
| 2019-03-21 | CVE-2018-20212 | bin/statistics in TWiki 6.0.2 allows cross-site scripting (XSS) via the webs parameter. | Twiki | 6.1 | ||
| 2014-12-31 | CVE-2014-9367 | Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting (XSS) attacks via a "'" (single quote) in the scope parameter to do/view/TWiki/WebSearch. | Twiki | N/A | ||
| 2014-12-31 | CVE-2014-9325 | Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRING variable in lib/TWiki/UI/View.pm, as demonstrated by the QUERY_STRING to do/view/Main/TWikiPreferences. | Twiki | N/A | ||
| 2014-10-15 | CVE-2014-7237 | lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when running on Windows, allows remote attackers to bypass intended access restrictions and upload files with restricted names via a null byte (%00) in a filename to bin/upload.cgi, as demonstrated using .htaccess to execute arbitrary code. | Windows, Twiki | N/A | ||
| 2013-01-04 | CVE-2012-6330 | The localization functionality in TWiki before 5.1.3, and Foswiki 1.0.x through 1.0.10 and 1.1.x through 1.1.6, allows remote attackers to cause a denial of service (memory consumption) via a large integer in a %MAKETEXT% macro. | Foswiki, Twiki | N/A | ||
| 2012-02-02 | CVE-2012-0979 | Cross-site scripting (XSS) vulnerability in TWiki allows remote attackers to inject arbitrary web script or HTML via the organization field in a profile, involving (1) registration or (2) editing of the user. | Twiki | N/A |