Skip Ribbon Commands
Skip to main content

TWiki remote code execution vulnerability

Effective Date: 10/27/2014
Product: TWiki.org versions 4.0.0-5, 4.1.0-2, 4.2.0-4, 4.3.0-2, 5.0.0-2, 5.1.0-4, 6.0.0
Platform: All Platforms

There is a vulnerability in TWiki that allows remote code execution via crafted URL via debugenableplugins. An attacker does not need to be authenticated for an exploit to work. If you run a TWiki (from TWiki.org) webserver, you must:

1) Decide if this installation is necessary or not (please remove if it is not used)
2) Ensure the installation is at the latest release and patch levels NOW
3) Ensure the installation is CONSISTENTLY at the latest release and patch levels going forward. If this is not possible, please see 1).

Reference URL: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236