{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-46879", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-24T15:14:16.483Z", "dateReserved": "2024-09-12T00:00:00.000Z", "datePublished": "2026-03-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T19:27:37.348Z"}, "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://tiki.org/tiki-newsletters.php?nlId=8&info=1"}, {"url": "https://github.com/ColdFusionX/CVE-2024-46879-TikiCMS-XSS"}, {"url": "https://tiki.org/article515-New-Security-Update-Released-for-Tiki-21-x-LTS-and-Upgrade-is-Strongly-Recommended"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "references": [{"url": "https://github.com/ColdFusionX/CVE-2024-46879-TikiCMS-XSS", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T15:10:15.313349Z", "id": "CVE-2024-46879", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:14:16.483Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-46879", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T15:10:15.313349Z"}}}], "references": [{"url": "https://github.com/ColdFusionX/CVE-2024-46879-TikiCMS-XSS", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:11:08.292Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://tiki.org/tiki-newsletters.php?nlId=8&info=1"}, {"url": "https://github.com/ColdFusionX/CVE-2024-46879-TikiCMS-XSS"}, {"url": "https://tiki.org/article515-New-Security-Update-Released-for-Tiki-21-x-LTS-and-Upgrade-is-Strongly-Recommended"}], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T19:27:37.348Z"}}}, "cveMetadata": {"cveId": "CVE-2024-46879", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:14:16.483Z", "dateReserved": "2024-09-12T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3316DA5-23FE-4AEB-8EFC-369ECFBD0AF1", "versionEndExcluding": "21.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) reflejado existe en los datos de la solicitud POST zipPath de tiki-admin_system.php en la versi\u00f3n 21.2 de Tiki. Esta vulnerabilidad permite a los atacantes ejecutar c\u00f3digo JavaScript arbitrario a trav\u00e9s de una carga \u00fatil manipulada, lo que puede llevar a un acceso potencial a informaci\u00f3n sensible o acciones no autorizadas."}], "id": "CVE-2024-46879", "lastModified": "2026-04-02T20:11:38.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-23T20:16:22.530", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ColdFusionX/CVE-2024-46879-TikiCMS-XSS"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://tiki.org/article515-New-Security-Update-Released-for-Tiki-21-x-LTS-and-Upgrade-is-Strongly-Recommended"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://tiki.org/tiki-newsletters.php?nlId=8&info=1"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ColdFusionX/CVE-2024-46879-TikiCMS-XSS"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "21.2"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "tiki", "vendor": "tiki"}], "analysis": {"en": {"generated_at": "2026-04-02T22:46:10.326336+00:00", "value": {"mitigation_remediation": ["Apply the official security update released by Tiki for the 21.x LTS series to remove the reflected XSS flaw."], "summary": {"action": "Patch", "impact": "Client-side Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to Tiki CMS version 21.2. Site administrators should verify that their installation matches this version and, if so, update to the latest 21.x LTS release that addresses the XSS problem. It is not related to any other documented product versions.", "description_and_impact": "A reflected XSS flaw is present in the zipPath POST parameter of tiki-admin_system.php, enabling an attacker to inject and execute arbitrary JavaScript when a form is submitted. The malicious code runs within the victim\u2019s browser, allowing actions such as session hijacking or credential theft. This weakness is a classic input validation issue where output is not properly sanitized or encoded.", "risk_and_exploitability": "The flaw carries a moderate severity rating with an overall score of 5.4, indicating a non\u2011critical but meaningful risk. The likelihood of exploitation is very low\u2014under 1%\u2014and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to deliver a crafted POST request to tiki-admin_system.php, which requires the victim to load or submit a form containing malicious data. Because the issue is client\u2011side, the damage is limited to the victim\u2019s browser session, but any compromised user could unintentionally expose sensitive information."}}}}, "created": "2026-03-24T10:34:58.606040+00:00", "updated": "2026-04-03T09:39:10.801769+00:00", "vendors": ["tiki", "tiki$PRODUCT$tiki"]}