CVE-2025-34113

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

CVSS

No CVSS.

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rb
https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki
https://www.acunetix.com/vulnerabilities/web/tiki-wiki-cms-remote-code-execution-via-calendar-module/
https://www.exploit-db.com/exploits/39965
https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module

Configurations

No configuration.

History

15 Jul 2025, 14:15

Type	Values Removed	Values Added
References	~~{'url': 'https://vulncheck/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module', 'source': 'disclosure@vulncheck.com'}~~	() https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module -

15 Jul 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-15 13:15

Updated : 2025-07-15 20:07

NVD link : CVE-2025-34113

Mitre link : CVE-2025-34113

CVE.ORG link : CVE-2025-34113

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2025-34113", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-15T13:15:31.273", "references": [{"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/tiki_calendar_exec.rb", "source": "disclosure@vulncheck.com"}, {"url": "https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki", "source": "disclosure@vulncheck.com"}, {"url": "https://www.acunetix.com/vulnerabilities/web/tiki-wiki-cms-remote-code-execution-via-calendar-module/", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/39965", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/tiki-wiki-cms-authenticated-command-injection-in-calendar-module", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "An authenticated command injection vulnerability exists in Tiki Wiki CMS versions \u226414.1, \u226412.4 LTS, \u22649.10 LTS, and \u22646.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user."}], "lastModified": "2025-07-15T20:07:28.023", "sourceIdentifier": "disclosure@vulncheck.com"}