We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-34113

Tiki Wiki CMS Authenticated Command Injection in Calendar Module



Description

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

Reserved 2025-04-15 | Published 2025-07-15 | Updated 2025-07-15 | Assigner VulnCheck


HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

CWE-20 Improper Input Validation

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

*
affected

*
affected

*
affected

*
affected

Credits

Dany Ouellet finder

References

tiki.org/...-Important-Security-Fix-for-all-versions-of-Tiki vendor-advisory patch

www.exploit-db.com/exploits/39965 exploit

raw.githubusercontent.com/...inux/http/tiki_calendar_exec.rb exploit

www.acunetix.com/...mote-code-execution-via-calendar-module/ third-party-advisory

www.vulncheck.com/...ed-command-injection-in-calendar-module third-party-advisory

cve.org (CVE-2025-34113)

nvd.nist.gov (CVE-2025-34113)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-34113

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.