CVE-2025-24018
📋 TL;DR
This stored XSS vulnerability in YesWiki allows authenticated users with page/comment editing rights to inject malicious scripts via the {{attach}} component. When exploited, it can lead to account theft, data exfiltration, and unauthorized content modifications. All YesWiki instances up to version 4.4.5 are affected.
💻 Affected Systems
- YesWiki
📦 What is this software?
Yeswiki by Yeswiki
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the YesWiki instance: attackers steal admin credentials, modify all pages/comments, change permissions, exfiltrate user emails and data, and potentially pivot to other systems.
Likely Case
Malicious authenticated users steal other user accounts, modify content, and extract sensitive information like email addresses from the database.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, or if user permissions are strictly controlled.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability leverages the {{attach}} component's handling of non-existent files to inject XSS payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.0
Vendor Advisory: https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w59h-3x3q-3p6j
Restart Required: No
Instructions:
1. Backup your YesWiki instance and database. 2. Download YesWiki 4.5.0 or newer from the official repository. 3. Replace the existing installation files with the patched version. 4. Verify that the {{attach}} component properly sanitizes input.
🔧 Temporary Workarounds
Disable {{attach}} component
allTemporarily disable or restrict usage of the {{attach}} component to prevent exploitation.
Modify YesWiki configuration to remove or restrict attach functionality
Restrict user permissions
allTighten permissions so only trusted administrators can create/edit pages and comments.
Review and modify user role permissions in YesWiki administration panel
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Enable web application firewall (WAF) rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check if your YesWiki version is 4.4.5 or earlier. Examine the attach.lib.php file at line 660 for proper input sanitization.Check Version:
Check the version.php file or YesWiki administration panel for current versionVerify Fix Applied:
After upgrading to 4.5.0+, verify that the {{attach}} component properly escapes user input and no longer generates unsafe HTML from filenames.📡 Detection & Monitoring
Log Indicators:
- Unusual {{attach}} usage patterns
- Multiple failed file attachment attempts with suspicious filenames
- Unexpected JavaScript execution in page content
Network Indicators:
- Outbound connections to suspicious domains from YesWiki pages
- Unexpected data exfiltration patterns
SIEM Query:
Search for web logs containing '{{attach' with JavaScript patterns or unusual filenames🔗 References
- https://github.com/YesWiki/yeswiki/blob/v4.4.5/tools/attach/libs/attach.lib.php#L660
- https://github.com/YesWiki/yeswiki/commit/c1e28b59394957902c31c850219e4504a20db98b
- https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w59h-3x3q-3p6j
- https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w59h-3x3q-3p6j
