Secunia reports:
Thomas Pollet has discovered a vulnerability in TikiWiki,
which can be exploited by malicious people to conduct
cross-site scripting attacks.
Input passed to the "highlight" parameter in
tiki-searchindex.php is not properly sanitised before being
returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session
in context of an affected site.
rgod has discovered a vulnerability in TikiWiki, which can
be exploited by malicious people to compromise a vulnerable
system.
The vulnerability is caused due to the "jhot.php" script
not correctly verifying uploaded files. This can e.g. be
exploited to execute arbitrary PHP code by uploading a
malicious PHP script to the "img/wiki" directory.