Share
## https://sploitus.com/exploit?id=PACKETSTORM:170433
--------------------------------------------------------------------------------  
Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection   
Vulnerability  
--------------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://tiki.org  
  
  
[-] Affected Versions:  
  
Version 24.0 and prior versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerability is located in the /lib/structures/structlib.php   
script, specifically in the StructLib::structure_to_webhelp() method,   
which is using an eval() call with user-controlled input. This can be   
exploited by malicious users to inject and execute arbitrary PHP code.   
Successful exploitation of this vulnerability requires the   
“feature_create_webhelp” to be enabled and an account with permissions   
to create a wiki page.  
  
  
[-] Solution:  
  
Upgrade to version 24.1 or later.  
  
  
[-] Disclosure Timeline:  
  
[08/03/2022] - Vendor notified  
[23/08/2022] - Version 24.1 released  
[09/01/2023] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-22853 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2023-02