CVE-2025-34113: CWE-306 Missing Authentication for Critical Function in Tiki Software Community Association Wiki CMS Groupware
An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.
AI Analysis
Technical Summary
CVE-2025-34113 is a high-severity authenticated command injection vulnerability affecting multiple versions of the Tiki Wiki CMS Groupware, specifically versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14. The vulnerability resides in the 'tiki-calendar.php' component, particularly in the handling of the 'viewmode' GET parameter when the calendar module is enabled. An authenticated user with permission to access the calendar module can exploit this flaw by injecting arbitrary PHP code through the 'viewmode' parameter. This leads to remote code execution (RCE) within the context of the web server user, potentially allowing full system compromise depending on the server configuration and privileges. The root cause is a missing authentication check for a critical function (CWE-306), combined with improper input validation (CWE-20) and command injection (CWE-78). The vulnerability requires that the attacker be authenticated with at least limited privileges (PR:L) but does not require user interaction (UI:N). The CVSS 4.0 base score is 8.7, reflecting the network attack vector, low attack complexity, no need for user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations using affected versions remain at risk until remediation is applied.
Potential Impact
For European organizations using Tiki Wiki CMS Groupware, this vulnerability poses a significant risk. The ability for an authenticated user to execute arbitrary PHP code remotely can lead to complete system compromise, data breaches, unauthorized access to sensitive information, and disruption of services. Given that Tiki Wiki CMS is often used for collaborative knowledge management and groupware functions, exploitation could result in leakage or manipulation of critical organizational data, intellectual property, or internal communications. The impact is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data access or loss can trigger severe legal and financial penalties. Additionally, compromised systems could be used as pivot points for lateral movement within corporate networks, increasing the scope of potential damage. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score underscores the urgency for European entities to address this vulnerability promptly.
Mitigation Recommendations
1. Immediate mitigation should focus on restricting access to the calendar module to only fully trusted users until patches are available. 2. Organizations should monitor and audit authenticated user activities related to the calendar module for suspicious behavior indicative of exploitation attempts. 3. Apply strict input validation and sanitization on the 'viewmode' GET parameter if custom patches or WAF rules are implemented. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block command injection patterns targeting the 'viewmode' parameter. 5. Isolate the Tiki Wiki CMS environment using containerization or network segmentation to limit potential lateral movement in case of compromise. 6. Regularly check for official patches or updates from the Tiki Software Community Association and apply them promptly once released. 7. Conduct vulnerability scanning and penetration testing focused on this vector to identify any exploitation attempts or residual vulnerabilities. 8. Educate authenticated users on the importance of secure credential management to prevent unauthorized access that could facilitate exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium
CVE-2025-34113: CWE-306 Missing Authentication for Critical Function in Tiki Software Community Association Wiki CMS Groupware
Description
An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user.
AI-Powered Analysis
Technical Analysis
CVE-2025-34113 is a high-severity authenticated command injection vulnerability affecting multiple versions of the Tiki Wiki CMS Groupware, specifically versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14. The vulnerability resides in the 'tiki-calendar.php' component, particularly in the handling of the 'viewmode' GET parameter when the calendar module is enabled. An authenticated user with permission to access the calendar module can exploit this flaw by injecting arbitrary PHP code through the 'viewmode' parameter. This leads to remote code execution (RCE) within the context of the web server user, potentially allowing full system compromise depending on the server configuration and privileges. The root cause is a missing authentication check for a critical function (CWE-306), combined with improper input validation (CWE-20) and command injection (CWE-78). The vulnerability requires that the attacker be authenticated with at least limited privileges (PR:L) but does not require user interaction (UI:N). The CVSS 4.0 base score is 8.7, reflecting the network attack vector, low attack complexity, no need for user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations using affected versions remain at risk until remediation is applied.
Potential Impact
For European organizations using Tiki Wiki CMS Groupware, this vulnerability poses a significant risk. The ability for an authenticated user to execute arbitrary PHP code remotely can lead to complete system compromise, data breaches, unauthorized access to sensitive information, and disruption of services. Given that Tiki Wiki CMS is often used for collaborative knowledge management and groupware functions, exploitation could result in leakage or manipulation of critical organizational data, intellectual property, or internal communications. The impact is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data access or loss can trigger severe legal and financial penalties. Additionally, compromised systems could be used as pivot points for lateral movement within corporate networks, increasing the scope of potential damage. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score underscores the urgency for European entities to address this vulnerability promptly.
Mitigation Recommendations
1. Immediate mitigation should focus on restricting access to the calendar module to only fully trusted users until patches are available. 2. Organizations should monitor and audit authenticated user activities related to the calendar module for suspicious behavior indicative of exploitation attempts. 3. Apply strict input validation and sanitization on the 'viewmode' GET parameter if custom patches or WAF rules are implemented. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block command injection patterns targeting the 'viewmode' parameter. 5. Isolate the Tiki Wiki CMS environment using containerization or network segmentation to limit potential lateral movement in case of compromise. 6. Regularly check for official patches or updates from the Tiki Software Community Association and apply them promptly once released. 7. Conduct vulnerability scanning and penetration testing focused on this vector to identify any exploitation attempts or residual vulnerabilities. 8. Educate authenticated users on the importance of secure credential management to prevent unauthorized access that could facilitate exploitation.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.560Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 687654a5a83201eaaccea53c
Added to database: 7/15/2025, 1:16:21 PM
Last enriched: 7/15/2025, 1:31:33 PM
Last updated: 8/28/2025, 10:07:49 PM
Views: 50
Related Threats
CVE-2025-9689: SQL Injection in SourceCodester Advanced School Management System
MediumCVE-2025-0165: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data
HighCVE-2025-9688: Integer Overflow in Mupen64Plus
LowCVE-2025-9687: Improper Authorization in Portabilis i-Educar
MediumCVE-2025-9686: SQL Injection in Portabilis i-Educar
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.