Tuannq2299

**Name of the Vulnerable Software and Affected Versions** Wiki.js versions prior to 2.5.313 **Description** The `users.update` GraphQL mutation allows the application of an arbitrary `groups` array directly to the database without validating the supplied group IDs. The resolver passes arguments to the model without ownership checks or restrictions on group assignments. A user with `manage:users` permissions, typically assigned to moderators, can assign themselves to the Administrators group by setting `groups:[1]`. Upon re-authentication, the resulting JSON Web Token (JWT)—a compact, URL-safe means of representing claims to be transferred between two parties—carries `manage:system` permissions, granting full site administrator access. **Recommendations** Update to version 2.5.313.