Skip to main content

CVE-2025-34113: CWE-306 Missing Authentication for Critical Function in Tiki Software Community Association Wiki CMS Groupware

High
VulnerabilityCVE-2025-34113cvecve-2025-34113cwe-306cwe-20cwe-78
Published: Tue Jul 15 2025 (07/15/2025, 13:09:34 UTC)
Source: CVE Database V5
Vendor/Project: Tiki Software Community Association
Product: Wiki CMS Groupware

Description

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.

AI-Powered Analysis

AILast updated: 07/15/2025, 13:31:33 UTC

Technical Analysis

CVE-2025-34113 is a high-severity authenticated command injection vulnerability affecting multiple versions of the Tiki Wiki CMS Groupware, specifically versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14. The vulnerability resides in the 'tiki-calendar.php' component, particularly in the handling of the 'viewmode' GET parameter when the calendar module is enabled. An authenticated user with permission to access the calendar module can exploit this flaw by injecting arbitrary PHP code through the 'viewmode' parameter. This leads to remote code execution (RCE) within the context of the web server user, potentially allowing full system compromise depending on the server configuration and privileges. The root cause is a missing authentication check for a critical function (CWE-306), combined with improper input validation (CWE-20) and command injection (CWE-78). The vulnerability requires that the attacker be authenticated with at least limited privileges (PR:L) but does not require user interaction (UI:N). The CVSS 4.0 base score is 8.7, reflecting the network attack vector, low attack complexity, no need for user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations using affected versions remain at risk until remediation is applied.

Potential Impact

For European organizations using Tiki Wiki CMS Groupware, this vulnerability poses a significant risk. The ability for an authenticated user to execute arbitrary PHP code remotely can lead to complete system compromise, data breaches, unauthorized access to sensitive information, and disruption of services. Given that Tiki Wiki CMS is often used for collaborative knowledge management and groupware functions, exploitation could result in leakage or manipulation of critical organizational data, intellectual property, or internal communications. The impact is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data access or loss can trigger severe legal and financial penalties. Additionally, compromised systems could be used as pivot points for lateral movement within corporate networks, increasing the scope of potential damage. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score underscores the urgency for European entities to address this vulnerability promptly.

Mitigation Recommendations

1. Immediate mitigation should focus on restricting access to the calendar module to only fully trusted users until patches are available. 2. Organizations should monitor and audit authenticated user activities related to the calendar module for suspicious behavior indicative of exploitation attempts. 3. Apply strict input validation and sanitization on the 'viewmode' GET parameter if custom patches or WAF rules are implemented. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block command injection patterns targeting the 'viewmode' parameter. 5. Isolate the Tiki Wiki CMS environment using containerization or network segmentation to limit potential lateral movement in case of compromise. 6. Regularly check for official patches or updates from the Tiki Software Community Association and apply them promptly once released. 7. Conduct vulnerability scanning and penetration testing focused on this vector to identify any exploitation attempts or residual vulnerabilities. 8. Educate authenticated users on the importance of secure credential management to prevent unauthorized access that could facilitate exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulnCheck
Date Reserved
2025-04-15T19:15:22.560Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 687654a5a83201eaaccea53c

Added to database: 7/15/2025, 1:16:21 PM

Last enriched: 7/15/2025, 1:31:33 PM

Last updated: 8/28/2025, 10:07:49 PM

Views: 50

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats