CVE-2025-24017
📋 TL;DR
YesWiki versions up to 4.4.5 contain a DOM-based cross-site scripting (XSS) vulnerability in the tag search feature. When users click malicious links containing crafted tags, attackers can execute arbitrary JavaScript in victims' browsers, potentially leading to account takeover. All YesWiki instances running vulnerable versions are affected.
💻 Affected Systems
- YesWiki
📦 What is this software?
Yeswiki by Yeswiki
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of YesWiki instance: attackers can steal all user accounts, modify all content and permissions, extract sensitive user data including emails, and potentially gain server access through subsequent attacks.
Likely Case
Targeted account takeover leading to unauthorized content modification, privilege escalation, and data theft from compromised accounts.
If Mitigated
Limited impact with proper input validation and output encoding, though the vulnerability would still exist in the codebase.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) and knowledge of the tag search feature. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.0
Vendor Advisory: https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wphc-5f2j-jhvg
Restart Required: No
Instructions:
1. Backup your YesWiki installation and database. 2. Download YesWiki 4.5.0 from the official repository. 3. Replace all files with the new version, preserving your configuration files. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize tag parameters before processing
Modify tag search handling code to validate and sanitize input using htmlspecialchars() or similar functions
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Disable or restrict the tag search feature entirely
🔍 How to Verify
Check if Vulnerable:
Check your YesWiki version by examining the version file or admin panel. If version is 4.4.5 or earlier, you are vulnerable.Check Version:
Check the file 'includes/version.php' or visit the admin panelVerify Fix Applied:
After upgrading to 4.5.0, test the tag search feature with various inputs including special characters to ensure proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual tag search queries containing JavaScript or HTML payloads
- Multiple failed tag searches from single IP addresses
Network Indicators:
- HTTP requests with suspicious parameters in tag search URLs
SIEM Query:
web_requests WHERE url CONTAINS 'tag=' AND (url CONTAINS '<script' OR url CONTAINS 'javascript:' OR url CONTAINS 'onclick=')