Login Sign Up

CVE-2022-23654

8.1 HIGH
Authentication Bypass

📋 TL;DR

Wiki.js versions before 2.5.274 contain an improper authentication vulnerability (CWE-287) where authenticated users with write access to restricted paths can update pages outside their allowed scope. By manipulating page IDs while keeping path values unchanged, attackers bypass path-based access controls. This affects all Wiki.js deployments with user accounts having restricted write permissions.

💻 Affected Systems

Products:
  • Wiki.js
Versions: All versions before 2.5.274
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with authenticated users and path-based access restrictions configured.

📦 What is this software?

Wiki.js by Requarks

View all CVEs affecting Wiki.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged authenticated user could modify or delete any wiki page, potentially defacing content, injecting malicious scripts, or deleting critical documentation.

🟠

Likely Case

Users with limited write permissions could escalate privileges by modifying pages they shouldn't have access to, potentially accessing sensitive information or disrupting operations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized modifications within the wiki system only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user account with some write permissions. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.274 and later

Vendor Advisory: https://github.com/Requarks/wiki/security/advisories/GHSA-3cv9-795v-6j7j

Restart Required: Yes

Instructions:

1. Backup your wiki data. 2. Update Wiki.js to version 2.5.274 or later using your package manager or download from GitHub. 3. Restart the Wiki.js service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Temporary Access Restriction

all

Temporarily restrict write access for all users or implement additional access control layer

🧯 If You Can't Patch

  • Implement strict access controls and audit all user permissions
  • Enable detailed logging of all page modification attempts and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Wiki.js version in admin panel or run: node -e "console.log(require('./package.json').version)" from Wiki.js directory

Check Version:

node -e "console.log(require('./package.json').version)"

Verify Fix Applied:

Confirm version is 2.5.274 or higher and test that users cannot modify pages outside their assigned paths

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed access attempts to restricted paths
  • User modifying pages with IDs outside their normal pattern
  • Access denied logs followed by successful modifications

Network Indicators:

  • Unusual API call patterns to page update endpoints

SIEM Query:

source="wiki.js" AND (event="page_update" OR event="page_move") AND user.permissions="restricted" AND target_path!="allowed_path*"

📊 Metadata

CVE ID: CVE-2022-23654
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-287
Published: February 22, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23654, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)