High severityNVD Advisory· Published Apr 29, 2025· Updated Apr 29, 2025
YesWiki Vulnerable to Unauthenticated Reflected Cross-site Scripting
CVE-2025-46349
Description
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the file upload form. This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on by the victim to perform arbitrary actions. This issue has been patched in version 4.5.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yeswiki/yeswikiPackagist | <= 4.5.3 | — |
Affected products
1Patches
10dac9e2fb2a5fix(attach): no html in filenames
1 file changed · +10 −6
tools/attach/libs/attach.lib.php+10 −6 modified@@ -405,9 +405,9 @@ public function searchFiles($filepattern, $start_dir) public function CheckParams() { // recuperation des parametres necessaire - $this->file = $this->wiki->GetParameter('attachfile'); + $this->file = htmlspecialchars($this->wiki->GetParameter('attachfile')); if (empty($this->file)) { - $this->file = $this->wiki->GetParameter('file'); + $this->file = htmlspecialchars($this->wiki->GetParameter('file')); } $this->desc = $this->wiki->GetParameter('attachdesc'); @@ -723,15 +723,19 @@ public function doUpload() */ public function showUploadForm() { - $this->file = $_GET['file']; - echo '<h3>' . _t('ATTACH_UPLOAD_FORM_FOR_FILE') . ' ' . $this->file . "</h3>\n"; - echo '<form enctype="multipart/form-data" name="frmUpload" method="POST" action="' . $this->wiki->href('upload', $this->wiki->GetPageTag()) . "\">\n" + $this->file = realpath(filter_input(INPUT_GET, 'file', FILTER_SANITIZE_FULL_SPECIAL_CHARS)); + if (!empty($this->file)) { + echo '<h3>' . _t('ATTACH_UPLOAD_FORM_FOR_FILE') . ' ' . $this->file . "</h3>\n"; + echo '<form enctype="multipart/form-data" name="frmUpload" method="POST" action="' . $this->wiki->href('upload', $this->wiki->GetPageTag()) . "\">\n" . ' <input type="hidden" name="wiki" value="' . $this->wiki->GetPageTag() . "/upload\" />\n" . ' <input type="hidden" name="MAX_FILE_SIZE" value="' . $this->attachConfig['max_file_size'] . "\" />\n" . " <input type=\"hidden\" name=\"file\" value=\"$this->file\" />\n" . " <input type=\"file\" name=\"upFile\" size=\"50\" /><br />\n" . ' <input class="btn btn-primary" type="submit" value="' . _t('ATTACH_SAVE') . "\" />\n" . "</form>\n"; + } else { + echo '<div class="alert alert-danger">No valid filename</div>'; + } } /** @@ -741,7 +745,7 @@ public function performUpload() { $this->file = $_POST['file']; $pathinfo = pathinfo($this->file); - $ext = strtolower($pathinfo['extension']); + $ext = strtolower($pathinfo['extension'] ?? ''); if ($this->wiki->config['authorized-extensions'] && !in_array($ext, array_keys($this->wiki->config['authorized-extensions']))) { $_FILES['upFile']['error'] = 5; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-2f8p-qqx2-gwr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46349ghsaADVISORY
- github.com/YesWiki/yeswiki/blob/6894234bbde6ab168bf4253f9a581bd24bf53766/tools/attach/libs/attach.lib.phpghsaWEB
- github.com/YesWiki/yeswiki/commit/0dac9e2fb2a5e69f13a3c9f761ecae6ed9676206ghsaWEB
- github.com/YesWiki/yeswiki/pull/1264/commits/6edde40eb7eeb5d60619ac4d1e0a0422d92e9524ghsax_refsource_MISCWEB
- github.com/YesWiki/yeswiki/security/advisories/GHSA-2f8p-qqx2-gwr2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.