CVE-2025-52277
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in YesWiki v.4.54 allows remote attackers to inject malicious scripts via the meta configuration robots field. When exploited, this could enable attackers to execute arbitrary code in users' browsers, potentially stealing session cookies or performing actions on behalf of authenticated users. All YesWiki installations running version 4.54 are affected.
💻 Affected Systems
- YesWiki
📦 What is this software?
Yeswiki by Yeswiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over administrative accounts, deface websites, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, perform actions as authenticated users, or redirect users to phishing sites.
If Mitigated
With proper input validation and output encoding, the impact is limited to potential data leakage but no code execution.
🎯 Exploit Status
Exploitation requires the attacker to have access to modify the robots meta configuration field, which typically requires some level of access to the YesWiki administration interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: YesWiki version after 4.54
Vendor Advisory: http://yeswiki.com
Restart Required: No
Instructions:
1. Backup your YesWiki installation and database. 2. Download the latest YesWiki version from the official website. 3. Replace the vulnerable files with the patched version. 4. Clear any caches if applicable.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization for the robots meta configuration field to strip or encode potentially malicious scripts.
Content Security Policy (CSP)
allImplement a strict Content Security Policy header to prevent execution of inline scripts and restrict script sources.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads targeting the robots meta field.
- Restrict access to the YesWiki administration interface to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Check if your YesWiki installation is version 4.54 by examining the version information in the admin panel or configuration files.Check Version:
Check the YesWiki admin panel or examine the version.php file in the installation directory.Verify Fix Applied:
After patching, verify the version is updated to a version after 4.54 and test the robots meta field with safe test payloads to ensure proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to meta configuration fields
- Suspicious POST requests containing script tags or JavaScript in robots field parameters
Network Indicators:
- HTTP requests containing script payloads in robots field parameters
- Unexpected JavaScript execution from YesWiki pages
SIEM Query:
source="web_server_logs" AND (uri_path="/admin/config" OR uri_path="/wiki/config") AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")