CVE-2020-8966

MEDIUM

Published Apr 1, 20206y ago · Modified Jun 17, 20261w ago

6.1 CVSS 3.1

Medium

Published Apr 1, 2020 6y ago

Last Modified Jun 17, 2026 1w ago

Description

There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page.

CVSS Details

Base Score

6.1

Exploitability

2.8

Impact

2.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 2

CWE-79 Cross-site Scripting Injection

CWE-80

Affected Products 1

Vendor	Product	Version	Range
tiki	tikiwiki_cms\/groupware	*	≤20.0

References 2

sourceforge.net https://sourceforge.net/p/tikiwiki/code/75455

Patch
incibe-cert.es https://www.incibe-cert.es/en/early-warning/security-advisories/cross-site-scripting-xss-flaws-found-tiki-wiki-cms-software

Third Party Advisory

Remediation

sourceforge.net https://sourceforge.net/p/tikiwiki/code/75455

Patch