CVE-2025-46550
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in YesWiki's /?BazaR endpoint via the idformulaire parameter. Attackers can craft malicious links that steal authenticated users' cookies when clicked, potentially leading to session hijacking. All YesWiki instances running versions before 4.5.4 are affected.
💻 Affected Systems
- YesWiki
📦 What is this software?
Yeswiki by Yeswiki
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative access by hijacking admin sessions, leading to complete system compromise, data theft, or website defacement with malicious content injection.
Likely Case
Attacker steals user session cookies to impersonate authenticated users, potentially accessing sensitive wiki content or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the attack fails to execute JavaScript, preventing cookie theft and session hijacking.
🎯 Exploit Status
Reflected XSS attacks are simple to execute via crafted URLs; no authentication required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.4
Vendor Advisory: https://github.com/YesWiki/yeswiki/security/advisories/GHSA-ggqx-43h2-55jp
Restart Required: No
Instructions:
1. Backup your YesWiki installation and database. 2. Download YesWiki version 4.5.4 or later from the official repository. 3. Replace all files with the new version, preserving custom configurations. 4. Verify the update by checking the version in the admin panel.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allBlock or sanitize requests containing malicious script patterns in the idformulaire parameter.
WAF-specific configuration required
Input Validation Filter
allImplement server-side filtering to reject or sanitize the idformulaire parameter before processing.
Modify PHP code to validate/sanitize $_GET['idformulaire']
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution from untrusted sources.
- Disable or restrict access to the /?BazaR endpoint if not required for functionality.
🔍 How to Verify
Check if Vulnerable:
Test by accessing /?BazaR&idformulaire=<script>alert('XSS')</script> and checking if JavaScript executes.Check Version:
Check the version displayed in the YesWiki admin panel or footer, or inspect the wiki's source code for version markers.Verify Fix Applied:
After patching, repeat the test; JavaScript should not execute, and the input should be properly encoded.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /?BazaR with suspicious parameters containing script tags or JavaScript code in idformulaire.
Network Indicators:
- Unusual traffic patterns to the /?BazaR endpoint, especially with encoded payloads.
SIEM Query:
source="web_logs" AND uri_path="/?BazaR" AND (param="idformulaire" AND value MATCHES "<script.*>|javascript:")