wikiplugin_includetpl in lib/wiki-plugins/wikiplugin_includetpl.php in Tiki before 28.3 mishandles input to an eval. The fixed versions are 21.12, 24.8, 27.2, and 28.3.
The wikiplugin_includetpl function in the file lib/wiki-plugins/wikiplugin_includetpl.php does not properly validate input data before passing it to the eval() call in PHP. The vulnerability classified as CWE-1336 (improper neutralization of special elements used in template engines) allows an attacker to inject malicious code, which will then be executed by the PHP interpreter. Due to the AV:N/PR:L vector, only basic user account access with network access is sufficient to carry out the attack.
An attacker can gain full control over the server, including reading and modifying data (C:H/I:H/A:H) and breaking out of the application scope to other systems in the network (S:C — scope change). Successful exploitation of the vulnerability leads to remote code execution (RCE) with potential for lateral movement in the infrastructure.
Tiki should be updated as soon as possible to one of the patched versions: 21.12, 24.8, 27.2 or 28.3. Details of the patches are available in the references to commits in the Tiki project GitLab repository. Until the update is applied, it is recommended to restrict access to the instance exclusively to trusted users and consider disabling the wikiplugin_includetpl plugin.
Tiki Wiki CMS/Groupware in all versions earlier than 28.3. Fixed versions in branches: 21.x (from 21.12), 24.x (from 24.8), 27.x (from 27.2), and 28.x (from 28.3).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H