CVE-2025-34113 | THREATINT

Description

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

PUBLISHED Reserved 2025-04-15 | Published 2025-07-15 | Updated 2026-05-15 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

CWE-20 Improper Input Validation

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

Any version

affected

Any version

affected

Any version

affected

Any version

affected

Credits

Dany Ouellet finder

References

tiki.org/...-Important-Security-Fix-for-all-versions-of-Tiki vendor-advisory patch

www.exploit-db.com/exploits/39965 exploit

raw.githubusercontent.com/...inux/http/tiki_calendar_exec.rb exploit

www.acunetix.com/...mote-code-execution-via-calendar-module/ third-party-advisory

www.vulncheck.com/...ed-command-injection-in-calendar-module third-party-advisory

cve.org (CVE-2025-34113)

nvd.nist.gov (CVE-2025-34113)

Download JSON

help @ threatint.eu