Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection   
[-] Software Link:  
[-] Affected Versions:  
Version 24.0 and prior versions.  
[-] Vulnerability Description:  
The vulnerability is located in the /lib/structures/structlib.php   
script, specifically in the StructLib::structure_to_webhelp() method,   
which is using an eval() call with user-controlled input. This can be   
exploited by malicious users to inject and execute arbitrary PHP code.   
Successful exploitation of this vulnerability requires the   
“feature_create_webhelp” to be enabled and an account with permissions   
to create a wiki page.  
[-] Solution:  
Upgrade to version 24.1 or later.  
[-] Disclosure Timeline:  
[08/03/2022] - Vendor notified  
[23/08/2022] - Version 24.1 released  
[09/01/2023] - Public disclosure  
[-] CVE Reference:  
The Common Vulnerabilities and Exposures project (  
has assigned the name CVE-2023-22853 to this vulnerability.  
[-] Credits:  
Vulnerability discovered by Egidio Romano.  
[-] Original Advisory: