CVE-2016-10143 Tiki CVE debrief

Who should care

Administrators and security owners running Tiki Wiki CMS 15.2, especially any internet-facing deployment or instance where banner content can be edited or processed.

Technical summary

The NVD record describes a network-reachable file-read condition in Tiki Wiki CMS 15.2 where a crafted pathname in a banner URL field can expose arbitrary files. NVD maps the issue to CWE-200 and rates it CVSS 3.0 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating a remotely exploitable confidentiality impact without authentication or user interaction.

Defensive priority

High

Recommended defensive actions

• Apply the vendor patch or updated release referenced in the Tiki issue tracker and SourceForge patch record.
• Review any use of banner URL fields and remove or validate inputs that can influence filesystem path handling.
• Restrict administrative access to Tiki configuration and content-management functions where practical.
• Check exposed Tiki Wiki CMS 15.2 instances for suspicious requests involving banner URL values or unexpected file access patterns.
• If you cannot immediately patch, reduce exposure by limiting network access to the application until remediation is complete.

Evidence notes

All statements are based on the supplied NVD record and its listed references. The corpus identifies Tiki Wiki CMS 15.2 as the affected CPE, describes the issue as arbitrary file read through a crafted pathname in a banner URL field, and lists CWE-200 with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The record was published on 2017-01-20 and marked modified on 2026-05-13. No Exploited in the Wild/KEV data was supplied.

Official resources