----------------------------------------------------------------------------- Tiki Wiki CMS Groupware <= 24.0 (grid.php) PHP Object Injection Vulnerability ----------------------------------------------------------------------------- [-] Software Link: https://tiki.org [-] Affected Versions: Version 24.0 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /lib/sheet/grid.php script, specifically into the TikiSheetSerializeHandler::_load() method, which is using the unserialize() PHP function with user-controlled input. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires the “Spreadsheets” feature to be enabled and an account with permissions to create a new sheet. However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following: [-] Solution: Upgrade to version 24.1 or later. [-] Disclosure Timeline: [07/03/2022] - Vendor notified [23/08/2022] - Version 24.1 released [09/01/2023] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-22850 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2023-03