CVE-2025-24018

{"id": "CVE-2025-24018", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-01-21T17:15:16.917", "references": [{"url": "https://github.com/YesWiki/yeswiki/blob/v4.4.5/tools/attach/libs/attach.lib.php#L660", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/YesWiki/yeswiki/commit/c1e28b59394957902c31c850219e4504a20db98b", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w59h-3x3q-3p6j", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w59h-3x3q-3p6j", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. The vulnerability makes use of the content edition feature and more specifically of the `{{attach}}` component allowing users to attach files/medias to a page. When a file is attached using the `{{attach}}` component, if the resource contained in the `file` attribute doesn't exist, then the server will generate a file upload button containing the filename. This vulnerability allows any malicious authenticated user that has the right to create a comment or edit a page to be able to steal accounts and therefore modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue."}, {"lang": "es", "value": "YesWiki es una wiki sistema escrita en PHP. En versiones hasta incluida 4.4.5, es posible que un usuario autenticado con derechos para editar/crear una p\u00e1gina o comentario active un XSS almacenado que se reflejar\u00e1 en cualquier p\u00e1gina donde se cargue el recurso. La vulnerabilidad hace uso de la funci\u00f3n de edici\u00f3n de contenido y, m\u00e1s espec\u00edficamente, del componente `{{attach}}` que permite a los usuarios adjuntar archivos/medios a una p\u00e1gina. Cuando se adjunta un archivo utilizando el componente `{{attach}}`, si el recurso contenido en el atributo `file` no existe, entonces el servidor generar\u00e1 un bot\u00f3n de carga de archivo que contiene el nombre del archivo. Esta vulnerabilidad permite que cualquier usuario autenticado malintencionado que tenga derecho a crear un comentario o editar una p\u00e1gina pueda robar cuentas y, por lo tanto, modificar p\u00e1ginas, comentarios, permisos, extraer datos de usuario (correos electr\u00f3nicos), lo que afecta la integridad, disponibilidad y confidencialidad de una instancia de YesWiki. La versi\u00f3n 4.5.0 contiene un parche para el problema."}], "lastModified": "2025-05-09T14:02:53.547", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yeswiki:yeswiki:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73A9706C-A5C2-4B1E-91E9-08C65D4B41C9", "versionEndExcluding": "4.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}