VYPR
Get started
← All advisories
High severityNVD Advisory· Published Jan 21, 2025· Updated Jan 21, 2025

YesWiki Vulnerable to Authenticated Stored XSS

CVE-2025-24018

Description

YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. The vulnerability makes use of the content edition feature and more specifically of the {{attach}} component allowing users to attach files/medias to a page. When a file is attached using the {{attach}} component, if the resource contained in the file attribute doesn't exist, then the server will generate a file upload button containing the filename. This vulnerability allows any malicious authenticated user that has the right to create a comment or edit a page to be able to steal accounts and therefore modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
yeswiki/yeswikiPackagist
< 4.5.04.5.0

Affected products

1

Patches

1
c1e28b593949

fix(attach/tags): better sanitization

https://github.com/YesWiki/yeswikiFlorian SchmittJan 19, 2025via ghsa
commit
2 files changed · +10 9
  • tools/attach/libs/attach.lib.php+2 1 modified
    @@ -659,7 +659,8 @@ public function showUpdateLink()
          */
         public function showFileNotExits()
         {
-            echo '<a href="' . $this->wiki->href('upload', $this->wiki->GetPageTag(), "file=$this->file") . '" class="btn btn-primary"><i class="fa fa-upload icon-upload icon-white"></i> ' . _t('UPLOAD_FILE') . ' ' . $this->file . '</a>';
+            $filename = htmlspecialchars($this->file);
+            echo '<a href="' . $this->wiki->href('upload', $this->wiki->GetPageTag(), "file=$filename") . '" class="btn btn-primary"><i class="fa fa-upload icon-upload icon-white"></i> ' . _t('UPLOAD_FILE') . ' ' . $this->file . '</a>';
         }
 
         /**
  • tools/tags/services/TagsManager.php+8 8 modified
    @@ -30,7 +30,7 @@ public function deleteAll($page)
         if ($this->securityController->isWikiHibernated()) {
             throw new \Exception(_t('WIKI_IN_HIBERNATION'));
         }
-        //on recupere les anciens tags de la page courante
+        // on recupere les anciens tags de la page courante
         $tabtagsexistants = $this->tripleStore->getAll($page, 'http://outils-reseaux.org/_vocabulary/tag', '', '');
         if (is_array($tabtagsexistants)) {
             foreach ($tabtagsexistants as $tab) {
@@ -49,29 +49,29 @@ public function save($page, $liste_tags)
         // TODO check if we need to escape here, or if we can do that in the tripleStore methods
         $tags = explode(',', $this->dbService->escape(_convert($liste_tags, YW_CHARSET, true)));
 
-        //on recupere les anciens tags de la page courante
+        // on recupere les anciens tags de la page courante
         $tabtagsexistants = $this->tripleStore->getAll($page, 'http://outils-reseaux.org/_vocabulary/tag', '', '');
         if (is_array($tabtagsexistants)) {
             foreach ($tabtagsexistants as $tab) {
                 $tags_restants_a_effacer[] = $tab['value'];
             }
         }
 
-        //on ajoute le tag s il n existe pas déjà
+        // on ajoute le tag s il n existe pas déjà
         foreach ($tags as $tag) {
             trim($tag);
             if ($tag != '') {
-                if (!$this->tripleStore->exist($page, 'http://outils-reseaux.org/_vocabulary/tag', $tag, '', '')) {
-                    $this->tripleStore->create($page, 'http://outils-reseaux.org/_vocabulary/tag', $tag, '', '');
+                if (!$this->tripleStore->exist($page, 'http://outils-reseaux.org/_vocabulary/tag', htmlspecialchars($tag), '', '')) {
+                    $this->tripleStore->create($page, 'http://outils-reseaux.org/_vocabulary/tag', htmlspecialchars($tag), '', '');
                 }
-                //on supprime ce tag du tableau des tags restants a effacer
+                // on supprime ce tag du tableau des tags restants a effacer
                 if (isset($tags_restants_a_effacer)) {
                     unset($tags_restants_a_effacer[array_search($tag, $tags_restants_a_effacer)]);
                 }
             }
         }
 
-        //on supprime les tags restants a effacer
+        // on supprime les tags restants a effacer
         if (isset($tags_restants_a_effacer)) {
             foreach ($tags_restants_a_effacer as $tag) {
                 $this->tripleStore->delete($page, 'http://outils-reseaux.org/_vocabulary/tag', $tag, '', '');
@@ -107,7 +107,7 @@ public function getPagesByTags($tags = '', $type = '', $nb = '', $tri = '')
             $req .= ' GROUP BY resource ';
             $req .= ' HAVING COUNT(resource)=' . $nbdetags . ') ';
 
-            //gestion du tri de l'affichage
+            // gestion du tri de l'affichage
             if ($tri == 'alpha') {
                 $req .= ' ORDER BY tag ASC ';
             } elseif ($tri == 'date') {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.