CSV Injection Vulnerability in Tiki 17.1 Allows Remote Code Execution

CSV Injection Vulnerability in Tiki 17.1 Allows Remote Code Execution

CVE-2018-7304 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation.

Learn more about our User Device Pen Test.