Description
Unauthenticated users can upload and execute arbitrary code due to a vulnerability in a preinstalled third-party component ("ELFinder"). An unauthenticated user can upload and PHP file with arbitrary code and execute it with the permissions of the web server user.
Remediation
Upgrade Tiki Wiki CMS to version 12.9, 14.4, 15.2 or above (recommended)
References
Related Vulnerabilities
WordPress Plugin UnGallery Local File Disclosure (1.5.8)
Possible username or password disclosure
WordPress Plugin CodeArt-Google MP3 Player Arbitrary File Disclosure (1.0.11)
WordPress Plugin Candidate Application Form Arbitrary File Download (1.0)
WordPress Plugin Shopping Cart & eCommerce Store Information Disclosure (2.0.5)