CVE-2007-5684 - Vulnerability Details - OpenCVE

Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded "..%2F" sequences in the imp_language parameter to tiki-imexport_languages.php.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tiki	Tikiwiki Cms\/groupware

Configuration 1 [-]

OR	cpe:2.3:a:tiki:tikiwiki_cms\/groupware::::::::
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.6.1:::::::*
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.0:::::::*
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.0:rc1::::::
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.0:rc2::::::
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.0:rc3::::::
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.1:::::::*
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.2:::::::*
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.3:::::::*
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.4:::::::*
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.5:::::::*
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.6:::::::*
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.7:::::::*
	cpe:2.3:a:tiki:tikiwiki_cms\/groupware:1.9.8:::::::*

No data.

References

Link	Providers
http://info.tikiwiki.org/tiki-read_article.php?articleId=15
http://www.securityfocus.com/archive/1/482801/30/0/threaded

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-10-26T18:00:00

Updated: 2024-08-07T15:39:13.629Z

Reserved: 2007-10-26T00:00:00

Link: CVE-2007-5684

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-10-26T18:46:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-5684

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-10-24T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded \"..%2F\" sequences in the imp_language parameter to tiki-imexport_languages.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2007-12-21T10:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://info.tikiwiki.org/tiki-read_article.php?articleId=15"}, {"name": "20071025 TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/482801/30/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-5684", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded \"..%2F\" sequences in the imp_language parameter to tiki-imexport_languages.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://info.tikiwiki.org/tiki-read_article.php?articleId=15", "refsource": "CONFIRM", "url": "http://info.tikiwiki.org/tiki-read_article.php?articleId=15"}, {"name": "20071025 TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/482801/30/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T15:39:13.629Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://info.tikiwiki.org/tiki-read_article.php?articleId=15"}, {"name": "20071025 TikiWiki <= 1.9.8.1 Cross Site Scripting / Local File Inclusion", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/482801/30/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-5684", "datePublished": "2007-10-26T18:00:00", "dateReserved": "2007-10-26T00:00:00", "dateUpdated": "2024-08-07T15:39:13.629Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD2B821A-4879-423C-B2EF-811F1F0D3F90", "versionEndIncluding": "1.9.8.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "04CA9500-8F56-40DC-A6C4-F9964EFCD4F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "B13501C0-3322-4D0C-8F7F-12535C76CB69", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "6FB63DA4-E9B5-4BDF-A4E5-54F4EE4E94AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "ADE04A29-E90B-41E1-A8B4-462B54C079B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "2540703B-63B8-41F4-A17A-0274A7DE7E63", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.1:*:*:*:*:*:*:*", "matchCriteriaId": "1489E8DC-11E7-49A3-84FF-909954147D01", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "035EEFAB-B46C-407F-BF8C-B33756D4EEC3", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "127349FA-B76D-402A-B688-F2F44024FA11", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.4:*:*:*:*:*:*:*", "matchCriteriaId": "175D43FD-450F-443E-831B-B8091BE7054F", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.5:*:*:*:*:*:*:*", "matchCriteriaId": "2F437662-CD55-477B-9FEE-0CC4E6CB908D", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.6:*:*:*:*:*:*:*", "matchCriteriaId": "EB235741-1FDA-4C90-BD6A-22D18D57D240", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.7:*:*:*:*:*:*:*", "matchCriteriaId": "62C09D81-AA53-4E82-BEA6-D321D95D2E0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:tiki:tikiwiki_cms\\/groupware:1.9.8:*:*:*:*:*:*:*", "matchCriteriaId": "8CE1CDD1-27F1-456C-933E-24219E6190CC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) local_php parameters to (a) tiki-index.php, or (3) encoded \"..%2F\" sequences in the imp_language parameter to tiki-imexport_languages.php."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de escalado de directorio en el TikiWiki 1.9.8.1 y versiones anteriores permiten a atacantes remotos incluir y ejecutar ficheros de su elecci\u00f3n a trav\u00e9s de un nombre de ruta absoluta en los par\u00e1metros (1) error_handler_file y (2) local_php en el a) tiki-index.php, o en las secuencias (3) codificadas \"..%2F\" en el par\u00e1metro imp_language del tiki-imexport_languages.php."}], "id": "CVE-2007-5684", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-10-26T18:46:00.000", "references": [{"source": "cve@mitre.org", "url": "http://info.tikiwiki.org/tiki-read_article.php?articleId=15"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/482801/30/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://info.tikiwiki.org/tiki-read_article.php?articleId=15"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/482801/30/0/threaded"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}