CVE-2024-46878
Cross-Site Scripting in Tiki Editpage.php Allows Code Execution
Publication date: 2026-03-23
Last updated on: 2026-04-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tiki | tiki | to 27.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to attackers executing arbitrary JavaScript code in your users' browsers, which may result in unauthorized actions being performed without the users' consent."}, {'type': 'paragraph', 'content': 'Potential impacts include theft of sensitive information such as session cookies, enabling session hijacking, and performing actions on behalf of the victim user, which can compromise the security and integrity of your application.'}, {'type': 'paragraph', 'content': 'If exploited, it can undermine user trust and lead to further security breaches within your system.'}] [1]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2024-46878 is a Reflected Cross-Site Scripting (XSS) vulnerability in Tiki CMS versions 26.3 and earlier. It exists in the `page` parameter of the `tiki-editpage.php` script, where user input is not properly sanitized or encoded before being reflected in the HTTP response.'}, {'type': 'paragraph', 'content': "This flaw allows an attacker to inject and execute arbitrary JavaScript code in the context of another user's browser by crafting a malicious request. The injected script can run when the victim interacts with the page, such as triggering JavaScript execution on mouseover."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited by an authenticated attacker to perform actions like session hijacking or unauthorized operations on behalf of the victim user.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability exists in the `page` parameter of the `tiki-editpage.php` script in Tiki CMS versions 26.3 and earlier. Detection can be attempted by sending crafted HTTP GET requests to the vulnerable endpoint with JavaScript payloads in the `page` parameter to see if the payload is reflected and executed.'}, {'type': 'paragraph', 'content': 'For example, a command using curl to test the vulnerability might look like this:'}, {'type': 'list_item', 'content': 'curl -i "http://your-tiki-site/tiki-editpage.php?page=<script>alert(\'XSS\')</script>"'}, {'type': 'paragraph', 'content': 'If the response contains the injected script without proper encoding or sanitization, it indicates the presence of the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade Tiki CMS to version 27.1 or later, where this vulnerability has been fixed.
Since Tiki 26.x has reached end-of-life and no longer receives security fixes, continuing to use it poses a security risk.
Additional steps include restricting access to the vulnerable page, applying any available security patches, and monitoring for suspicious activity related to XSS attacks until the upgrade can be performed.