anonhaven
Ad

CVE-2025-24017

MEDIUM CVSS 3.1: 6.1 EPSS 0.29%
Updated May 09, 2025
Yeswiki
Parameter Value
CVSS 6.1 (MEDIUM)
Affected Versions before 4.5.0
Fixed In 4.5.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Yeswiki
Public PoC No

YesWiki is a wiki system written in PHP. Versions up to and including 4.4.5 are vulnerable to any end-user crafting a DOM based XSS on all of YesWiki's pages which is triggered when a user clicks on a malicious link. The vulnerability makes use of the search by tag feature.

When a tag doesn't exist, the tag is reflected on the page and isn't properly sanitized on the server side which allows a malicious user to generate a link that will trigger an XSS on the client's side when clicked. This vulnerability allows any user to generate a malicious link that will trigger an account takeover when clicked, therefore allowing a user to steal other accounts, modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Yeswiki Yeswiki
cpe:2.3:a:yeswiki:yeswiki:*:*:*:*:*:*:*:*
 4.5.0

References 2

https://github.com/YesWiki/yeswiki/commit/c1e28b59394957902c31c850219e4504a20db…
security-advisories@github.com
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wphc-5f2j-jhvg
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34598

Yeswiki

7.1

CVE-2025-24019

Yeswiki

7.1

CVE-2025-24018

Yeswiki

5.4