source: https://www.securityfocus.com/bid/51128/info Tiki Wiki CMS Groupware is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Tested with Firefox 7.01 Visit this URL http://www.example.com/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss= -> blank site But when you visit one of this pages, the XSS will be executed http://www.example.com/tiki-8.1/tiki-login.php http://www.example.com/tiki-8.1/tiki-remind_password.php // browser source code show_errors: 'y', xss: '' }; Another example: http://www.example.com/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss1= http://www.example.com/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss2= http://www.example.com/tiki-8.1/tiki-cookie-jar.php?show_errors=y&xss3= All of them will be executed! // browser source code show_errors: 'y', xss1: '', xss2: '', xss3: '' };