![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
——————————————————————————–
Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection
Vulnerability
——————————————————————————–
Software Link [-]
https://tiki.org
[-] Versions Affected:
Version 24.0 and earlier versions
[-] Vulnerability Description
The vulnerability is located in the /lib/structures/structlib.php
script, specifically in the StructLib::structure_to_webhelp() method,
This is an example of using an eval() function with user-controlled input. You can do this by using eval().
Malicious users can exploit this vulnerability to execute and inject arbitrary PHP codes.
This vulnerability can only be exploited if you have the following skills:
“feature_create_webhelp” to be enabled and an account with permissions
To create a Wiki page.
[-] Solution:
Upgrade to Version 24.1 or Later.
Disclosure Timeline
[08/03/2022] – Vendor notified
Released Version 24.1 [23/08/2022]
[09/01/2023] Public Disclosure
[-] CVE Refer:
Common Vulnerabilities and Exposures Project (cve.mitre.org).
This vulnerability has been given the CVE-2023-22853 name.
[-] Credits:
Egidio Romano discovered vulnerability.
[-] Original Advice:
http://karmainsecurity.com/KIS-2023-02
