DOM Based XSS Vulnerability in YesWiki Wiki System
CVE-2025-24017

7.6HIGH

Key Information:

Vendor: Yeswiki
Status: Yeswiki
Vendor: CVE Published:; 21 January 2025

Summary

YesWiki is a PHP-based wiki system that is susceptible to a DOM-based XSS vulnerability present in all versions up to and including 4.4.5. When users attempt to utilize the search by tag feature with a non-existent tag, the system reflects the invalid tag on the page without proper server-side sanitization. This flaw allows an attacker to craft a malicious link that, when clicked, executes an XSS attack. As a result, attackers can potentially hijack user accounts, modify page content, alter user permissions, and extract sensitive information such as email addresses. The vulnerability compromises the integrity, availability, and confidentiality of the YesWiki instances. A patch has been introduced in version 4.5.0 to mitigate this issue.

Affected Version(s)

yeswiki < 4.5.0

References

https://github.com/YesWiki/yeswiki/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/YesWiki/yeswiki/commit/c1e28b593949579...

x_refsource_MISC

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 21, 2025
Vulnerability Reserved
Jan 16, 2025