---------------------------------------------------------------------------------------------------- Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability ---------------------------------------------------------------------------------------------------- [-] Software Link: https://tiki.org [-] Affected Versions: Version 24.1 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when importing data from WordPress sites through the Tiki Importer, user input passed through the uploaded XML file is being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires an admin account (specifically, the ‘tiki_p_admin_importer’ permission). However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following:
[-] Solution: Upgrade to version 24.2 or later. [-] Disclosure Timeline: [07/03/2022] - Vendor notified [23/08/2022] - Version 24.1 released [09/01/2023] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-22851 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2023-04