VYPR
Get started
← All advisories
High severityNVD Advisory· Published Jan 21, 2025· Updated Feb 12, 2025

YesWiki Vulnerable to Unauthenticated DOM Based XSS

CVE-2025-24017

Description

YesWiki is a wiki system written in PHP. Versions up to and including 4.4.5 are vulnerable to any end-user crafting a DOM based XSS on all of YesWiki's pages which is triggered when a user clicks on a malicious link. The vulnerability makes use of the search by tag feature. When a tag doesn't exist, the tag is reflected on the page and isn't properly sanitized on the server side which allows a malicious user to generate a link that will trigger an XSS on the client's side when clicked. This vulnerability allows any user to generate a malicious link that will trigger an account takeover when clicked, therefore allowing a user to steal other accounts, modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
yeswiki/yeswikiPackagist
< 4.5.04.5.0

Affected products

1

Patches

1
c1e28b593949

fix(attach/tags): better sanitization

https://github.com/YesWiki/yeswikiFlorian SchmittJan 19, 2025via ghsa
commit
2 files changed · +10 9
  • tools/attach/libs/attach.lib.php+2 1 modified
    @@ -659,7 +659,8 @@ public function showUpdateLink()
          */
         public function showFileNotExits()
         {
-            echo '<a href="' . $this->wiki->href('upload', $this->wiki->GetPageTag(), "file=$this->file") . '" class="btn btn-primary"><i class="fa fa-upload icon-upload icon-white"></i> ' . _t('UPLOAD_FILE') . ' ' . $this->file . '</a>';
+            $filename = htmlspecialchars($this->file);
+            echo '<a href="' . $this->wiki->href('upload', $this->wiki->GetPageTag(), "file=$filename") . '" class="btn btn-primary"><i class="fa fa-upload icon-upload icon-white"></i> ' . _t('UPLOAD_FILE') . ' ' . $this->file . '</a>';
         }
 
         /**
  • tools/tags/services/TagsManager.php+8 8 modified
    @@ -30,7 +30,7 @@ public function deleteAll($page)
         if ($this->securityController->isWikiHibernated()) {
             throw new \Exception(_t('WIKI_IN_HIBERNATION'));
         }
-        //on recupere les anciens tags de la page courante
+        // on recupere les anciens tags de la page courante
         $tabtagsexistants = $this->tripleStore->getAll($page, 'http://outils-reseaux.org/_vocabulary/tag', '', '');
         if (is_array($tabtagsexistants)) {
             foreach ($tabtagsexistants as $tab) {
@@ -49,29 +49,29 @@ public function save($page, $liste_tags)
         // TODO check if we need to escape here, or if we can do that in the tripleStore methods
         $tags = explode(',', $this->dbService->escape(_convert($liste_tags, YW_CHARSET, true)));
 
-        //on recupere les anciens tags de la page courante
+        // on recupere les anciens tags de la page courante
         $tabtagsexistants = $this->tripleStore->getAll($page, 'http://outils-reseaux.org/_vocabulary/tag', '', '');
         if (is_array($tabtagsexistants)) {
             foreach ($tabtagsexistants as $tab) {
                 $tags_restants_a_effacer[] = $tab['value'];
             }
         }
 
-        //on ajoute le tag s il n existe pas déjà
+        // on ajoute le tag s il n existe pas déjà
         foreach ($tags as $tag) {
             trim($tag);
             if ($tag != '') {
-                if (!$this->tripleStore->exist($page, 'http://outils-reseaux.org/_vocabulary/tag', $tag, '', '')) {
-                    $this->tripleStore->create($page, 'http://outils-reseaux.org/_vocabulary/tag', $tag, '', '');
+                if (!$this->tripleStore->exist($page, 'http://outils-reseaux.org/_vocabulary/tag', htmlspecialchars($tag), '', '')) {
+                    $this->tripleStore->create($page, 'http://outils-reseaux.org/_vocabulary/tag', htmlspecialchars($tag), '', '');
                 }
-                //on supprime ce tag du tableau des tags restants a effacer
+                // on supprime ce tag du tableau des tags restants a effacer
                 if (isset($tags_restants_a_effacer)) {
                     unset($tags_restants_a_effacer[array_search($tag, $tags_restants_a_effacer)]);
                 }
             }
         }
 
-        //on supprime les tags restants a effacer
+        // on supprime les tags restants a effacer
         if (isset($tags_restants_a_effacer)) {
             foreach ($tags_restants_a_effacer as $tag) {
                 $this->tripleStore->delete($page, 'http://outils-reseaux.org/_vocabulary/tag', $tag, '', '');
@@ -107,7 +107,7 @@ public function getPagesByTags($tags = '', $type = '', $nb = '', $tri = '')
             $req .= ' GROUP BY resource ';
             $req .= ' HAVING COUNT(resource)=' . $nbdetags . ') ';
 
-            //gestion du tri de l'affichage
+            // gestion du tri de l'affichage
             if ($tri == 'alpha') {
                 $req .= ' ORDER BY tag ASC ';
             } elseif ($tri == 'date') {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.