CVE-2024-45298
📋 TL;DR
Wiki.js versions 2.5.303 and earlier contain an authentication bypass vulnerability where disabled users can regain access by using the password reset function. This allows users who should be locked out to bypass account restrictions and access the wiki. All Wiki.js deployments using account restrictions with disabled users are affected.
💻 Affected Systems
- Wiki.js
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Disabled malicious users regain access to sensitive wiki content, potentially modifying or exfiltrating confidential information.
Likely Case
Disabled legitimate users accidentally or intentionally regain access to content they should no longer have permissions to view.
If Mitigated
If proper access controls and monitoring are in place, unauthorized access can be detected and contained quickly.
🎯 Exploit Status
Exploitation requires a valid user account that has been disabled. The attack is simple: request password reset for disabled account, follow reset link, set new password, and gain access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.5.304
Vendor Advisory: https://github.com/requarks/wiki/security/advisories/GHSA-vwww-c5vg-xgfc
Restart Required: Yes
Instructions:
1. Backup your wiki data. 2. Stop the Wiki.js service. 3. Update to version 2.5.304 using your deployment method (npm, Docker, etc.). 4. Restart the Wiki.js service. 5. Verify the update was successful.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Monitor authentication logs for password reset attempts on disabled accounts
- Temporarily disable password reset functionality if business requirements allow
🔍 How to Verify
Check if Vulnerable:
Check your Wiki.js version in the admin panel or via the API endpoint /api/version. If version is 2.5.303 or earlier, you are vulnerable.Check Version:
curl -s http://your-wiki-url/api/version | grep versionVerify Fix Applied:
After updating, verify the version shows 2.5.304 or later. Test by attempting password reset on a disabled test account - it should fail.📡 Detection & Monitoring
Log Indicators:
- Password reset requests for disabled user accounts
- Successful authentication events from previously disabled accounts
Network Indicators:
- HTTP POST requests to /api/auth/reset-password endpoints for disabled users
SIEM Query:
source="wiki.js" AND (event="password_reset_request" OR event="login") AND user_status="disabled"