Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-46879

CVE-2024-46879: Tiki Wiki CMS Reflected XSS Vulnerability

CVE-2024-46879 is a reflected cross-site scripting flaw in Tiki Wiki CMS version 21.2 affecting tiki-admin_system.php that enables attackers to execute malicious JavaScript. This article covers technical details, impact, and mitigations.

Published:

CVE-2024-46879 Overview

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath parameter of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions within the context of an authenticated user's session.

Critical Impact

Attackers can execute arbitrary JavaScript in the context of authenticated administrator sessions, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the Tiki CMS platform.

Affected Products

  • Tiki CMS version 21.2
  • Tiki 21.x LTS branch (prior to security update)

Discovery Timeline

  • 2026-03-23 - CVE-2024-46879 published to NVD
  • 2026-03-24 - Last updated in NVD database

Technical Details for CVE-2024-46879

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the administrative system management interface of Tiki CMS, specifically within the tiki-admin_system.php file.

The vulnerability occurs when user-supplied input through the zipPath POST parameter is reflected back to the user without proper sanitization or encoding. When an administrator interacts with a malicious link or form that targets this endpoint, the attacker-controlled JavaScript payload executes within the administrator's browser context.

This is a reflected XSS vulnerability, meaning the malicious script is not stored on the server but is instead reflected off the web application to the victim's browser. The attack requires user interaction—specifically, an authenticated administrator must be tricked into submitting a crafted request.

Root Cause

The root cause of this vulnerability is insufficient input validation and output encoding in the tiki-admin_system.php file. The zipPath parameter value is incorporated into the HTTP response without proper HTML entity encoding or other sanitization measures. This allows special characters used in JavaScript payloads (such as <, >, ", and ') to be interpreted as code rather than data.

Attack Vector

The attack vector is network-based and requires low privileges (authenticated user) combined with user interaction. An attacker would typically craft a malicious URL or form containing a JavaScript payload in the zipPath parameter. Through social engineering techniques such as phishing emails or malicious links, the attacker tricks an authenticated Tiki CMS administrator into clicking the link or submitting the form.

Once the administrator interacts with the malicious content, the JavaScript payload executes in their browser with the same privileges as the administrator session. This could allow the attacker to steal session cookies, perform actions on behalf of the administrator, modify page content, or redirect the user to malicious sites.

The attack can be delivered through various channels including:

  • Phishing emails containing malicious links
  • Compromised websites hosting malicious forms
  • Social media messages with crafted URLs
  • Forum posts or comments containing the malicious payload

Detection Methods for CVE-2024-46879

Indicators of Compromise

  • Unusual HTTP POST requests to tiki-admin_system.php containing script tags or JavaScript event handlers in the zipPath parameter
  • Web server logs showing encoded JavaScript payloads (e.g., %3Cscript%3E, %22onclick%3D) targeting the admin system endpoint
  • Reports from users of unexpected behavior or pop-ups when accessing Tiki administrative functions
  • Session anomalies indicating potential session hijacking following administrative access

Detection Strategies

  • Implement Web Application Firewall (WAF) rules to detect and block requests containing XSS payloads in POST parameters targeting tiki-admin_system.php
  • Configure intrusion detection systems to alert on patterns matching common XSS attack signatures in HTTP traffic to Tiki CMS installations
  • Enable detailed access logging for administrative endpoints and regularly review for suspicious parameter values
  • Deploy browser-based XSS detection solutions that can identify reflected content containing active scripts

Monitoring Recommendations

  • Monitor web server access logs for requests to tiki-admin_system.php with unusual or encoded parameter values
  • Set up alerts for high volumes of requests to administrative endpoints from unfamiliar IP addresses
  • Implement Content Security Policy (CSP) violation reporting to detect attempted script injection
  • Track and investigate any reports of phishing attempts targeting Tiki CMS administrators

How to Mitigate CVE-2024-46879

Immediate Actions Required

  • Upgrade Tiki CMS to the latest patched version as recommended in the Tiki Security Update Advisory
  • Restrict access to administrative endpoints like tiki-admin_system.php to trusted IP addresses only
  • Educate administrators about the risks of clicking links from untrusted sources
  • Review administrative session logs for any suspicious activity that may indicate prior exploitation

Patch Information

Tiki has released a security update addressing this vulnerability for the 21.x LTS branch. Administrators should upgrade to the latest available version immediately. Details about the security update can be found in the Tiki Security Update Advisory and the Tiki Newsletter Update.

A proof-of-concept for this vulnerability is available at the GitHub PoC Repository, which security teams can reference for understanding the attack mechanics and validating their mitigations.

Workarounds

  • Implement a Web Application Firewall (WAF) with XSS filtering rules to sanitize malicious input before it reaches the application
  • Configure network-level access controls to limit administrative interface access to known trusted IP addresses or VPN connections only
  • Enable and enforce Content Security Policy (CSP) headers to prevent inline script execution
  • Consider temporarily disabling or renaming tiki-admin_system.php if the functionality is not immediately required until patches can be applied
bash
# Example Apache .htaccess configuration to restrict admin access
<Files "tiki-admin_system.php">
    Require ip 192.168.1.0/24
    Require ip 10.0.0.0/8
</Files>

# Example Content Security Policy header
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne