CVE-2004-1924 in TikiWiki
Summary
by MITRE
Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php, (3) flag, priority, flagval, sort_mode, or find parameters to messu-read.php, (4) articleId parameter to tiki-read_article.php, (5) parentId parameter to tiki-browse_categories.php, (6) comments_threshold parameter to tiki-index.php (7) articleId parameter to tiki-print_article.php, (8) galleryId parameter to tiki-list_file_gallery.php, (9) galleryId parameter to tiki-upload_file.php, (10) faqId parameter to tiki-view_faq.php, (11) chartId parameter to tiki-view_chart.php, or (12) surveyId parameter to tiki-survey_stats_survey.php.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/14/2025
The vulnerability described in CVE-2004-1924 represents a critical cross-site scripting flaw affecting Tiki CMS/Groupware version 1.8.1 and earlier. This issue stems from insufficient input validation and output sanitization across multiple script files within the TikiWiki application, creating numerous entry points for malicious actors to inject arbitrary web scripts or HTML content into the application's response. The vulnerability manifests when user-supplied parameters are directly incorporated into web pages without proper sanitization, allowing attackers to execute malicious code in the context of other users' browsers.
The technical flaw operates through parameter manipulation in various TikiWiki scripts, specifically targeting parameters such as theme, find, priority, flag, sort_mode, articleId, parentId, comments_threshold, galleryId, faqId, chartId, and surveyId. These parameters are processed by scripts including tiki-switch_theme.php, messu-mailbox.php, messu-read.php, tiki-read_article.php, tiki-browse_categories.php, tiki-index.php, tiki-print_article.php, tiki-list_file_gallery.php, tiki-upload_file.php, tiki-view_faq.php, tiki-view_chart.php, and tiki-survey_stats_survey.php. The vulnerability is classified under CWE-79 as "Cross-site Scripting" and represents a classic injection flaw where untrusted data flows directly into HTML output without proper encoding or validation.
The operational impact of this vulnerability is severe and multifaceted, as it allows remote attackers to execute arbitrary scripts in victims' browsers, potentially leading to session hijacking, credential theft, defacement of web content, or redirection to malicious sites. Attackers can exploit these vulnerabilities to compromise user sessions, steal sensitive information, or perform unauthorized actions within the context of the vulnerable application. The widespread nature of the vulnerability across multiple components of TikiWiki increases the attack surface and makes it particularly dangerous for organizations relying on this CMS for collaborative workgroup environments.
Mitigation strategies for CVE-2004-1924 should include immediate patching to version 1.8.2 or later, which contains the necessary input validation fixes. Organizations should implement comprehensive input sanitization across all user-supplied parameters, employ proper output encoding techniques, and establish strict parameter validation routines. The ATT&CK framework categorizes this vulnerability under T1059.008 for "Command and Scripting Interpreter: PowerShell" and T1566.001 for "Phishing: Spearphishing Attachment", as attackers can leverage these XSS flaws to deliver malicious payloads. Additionally, implementing Content Security Policy headers, regular security audits, and web application firewalls can provide additional defense-in-depth measures. Organizations should also consider implementing automated vulnerability scanning tools to identify similar issues in other web applications and ensure proper input validation practices throughout their development lifecycle.