——————————————————————————
Tiki Wiki CMS Groupware >= 25.0 Cross-Site Request Forgery
Vulnerabilities
——————————————————————————
[-] Software link:
https://tiki.org
[-] Versions Affected:
Version 25.0 or earlier versions
[-] Vulnerabilities Description:
1) The script /tiki_importer.php does not provide any protection
Cross-Site Request Forgery attacks (CSRF). An attacker can be identified as such.
An authenticated user might be forced to import unrelated content (wiki)
Pages) to TikiWiki through tricking the victim user into surfing to a
Specially designed web pages
2) The /tiki-import_sheet.php script does not implement any protection
Cross-Site Request Forgery attacks (CSRF). An attacker can be identified as such.
An authenticated user might be forced to import unspecified sheets.
TikiWiki tricked a victim user to browse to a custom-crafted website
website. This vulnerability can only be exploited if the following are followed:
To enable “Spreadsheets”.
[-] Solution:
Currently, there is no official solution.
Disclosure Timeline
[06/03/2022] – Vendor notified
[09/01/2023] Public Disclosure
[-] CVE Refer:
Common Vulnerabilities and Exposures Project (cve.mitre.org).
This vulnerability has been given the CVE-2023-22852 designation.
[-] Credits:
Egidio Romano discovered vulnerability.
[-] Original Advice:
http://karmainsecurity.com/KIS-2023-01
