Main Vulnerability Database SB2022022148

SB2022022148 - Improper access control in Wiki.js

Published: February 21, 2022 Updated: April 28, 2026

Security Bulletin ID SB2022022148

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2022-23654)

The vulnerability allows a remote user to modify pages outside authorized paths.

The vulnerability exists due to improper access control in the page update access check when handling page update requests with a user-supplied page path and target page ID. A remote user can specify a different target page ID while keeping the path intact to modify pages outside authorized paths.

Exploitation requires write access limited to a restricted set of paths.

Remediation

Install update from vendor's website.

References

https://github.com/requarks/wiki/security/advisories/GHSA-3cv9-795v-6j7j
https://github.com/advisories/GHSA-3cv9-795v-6j7j