CVE-2025-46550 in yeswiki
Summary
by MITRE • 04/30/2025
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the `/?BazaR` endpoint and `idformulaire` parameter are vulnerable to cross-site scripting. An attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2025
The vulnerability identified as CVE-2025-46550 affects YesWiki, a PHP-based wiki system that has been widely adopted for collaborative content management. This cross-site scripting vulnerability specifically targets the `/?BazaR` endpoint and the `idformulaire` parameter, creating a significant security risk for organizations relying on this platform for information sharing and collaboration. The flaw exists in versions prior to 4.5.4, indicating that the developers were aware of the issue and implemented a fix in their subsequent release, though the specific timeline of discovery remains undisclosed.
The technical exploitation of this vulnerability involves a reflected cross-site scripting attack where malicious actors craft specially formatted URLs containing malicious script payloads that are reflected back to authenticated users when they click on the crafted links. This reflected XSS vector operates through the vulnerable `idformulaire` parameter, which fails to properly sanitize user input before rendering it in the web response. When an authenticated user accesses a maliciously crafted URL, the embedded script executes within the user's browser context, potentially stealing session cookies that are typically transmitted with the HTTP headers. The vulnerability stems from inadequate input validation and output encoding practices, which are fundamental security controls that should prevent malicious scripts from executing in the context of legitimate web applications.
The operational impact of this vulnerability extends beyond simple session hijacking, as the stolen cookies provide attackers with persistent access to user accounts and their associated privileges within the YesWiki environment. This access could enable attackers to deface the website by modifying content, injecting malicious code, or even escalating privileges to administrative functions if the compromised user holds elevated permissions. The reflected nature of the attack means that the vulnerability can be exploited through social engineering techniques, where attackers send phishing emails or messages containing malicious links to targeted users. The attack requires minimal technical expertise from the attacker, making it particularly dangerous for organizations that may not have robust security awareness training programs in place.
Organizations using YesWiki versions prior to 4.5.4 should immediately implement the patch released in version 4.5.4 to remediate this vulnerability. The fix likely involves proper input sanitization of the `idformulaire` parameter and implementation of output encoding mechanisms that prevent malicious scripts from executing in the browser context. Security practitioners should also consider implementing additional protective measures such as content security policies to mitigate the impact of similar vulnerabilities, and they should monitor for any signs of exploitation attempts in their web server logs. This vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and represents a common attack vector that falls under the ATT&CK technique T1566 for social engineering and T1548 for privilege escalation through session hijacking. The incident underscores the importance of maintaining up-to-date software components and implementing proper input validation as core security practices. Organizations should also conduct regular security assessments to identify and remediate similar vulnerabilities in their web applications, particularly those involving user-supplied input that is reflected back to users without proper sanitization.