Headline
CVE-2023-22853: View Articles
Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval.
On August 23, 2022, Tiki 18.9 LTS, Tiki 23.2 and Tiki 24.1 LTS were released, and Tiki 21.6 LTS was released the next day. These releases bring functional enhancements, bug fixes and security updates.
Tiki 24.1 LTS has received improvements and enhancements in trackers, calendars, web mail, newsletters, toolbars, wiki structures (page sets), French translations and many other areas.
For Tiki 21.6 LTS, there was some cleanup of old code as well as miscellaneous minor fixes and enhancements.
For users of Tiki 23, the update includes improvements and fixes in wiki plugins, trackers, maps, CKEditor functions, and user registration, among others. This is essentially an end-of-life release so users of Tiki 23 should consider upgrading to Tiki 24.
Tiki 18 LTS was updated for probably the last time as it is approaching the end of its service life. For more information, please see End of service life approaching for Tiki 18 - what options do you have?.
The releases include a fix for a security vulnerability reported by Egidio Romano (aka EgiX), whom we deeply thank for his detailed report.
Download information is at Get Tiki.
Related news
Tiki Wiki CMS Groupware versions 24.0 and below suffer from a PHP code injection vulnerability in structlib.php.