CVE-2025-24018
Published: 21 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-24018 is a stored cross-site scripting (XSS) vulnerability in YesWiki, a wiki system written in PHP. It affects versions up to and including 4.4.5 and stems from the content edition feature, specifically the `{{attach}}` component used for attaching files or media to pages. When a file specified in the `file` attribute does not exist, the server generates an upload button that incorporates the filename, enabling the injection of malicious payloads that execute as stored XSS on any page loading the resource.
An authenticated user with rights to edit or create a page or comment can exploit this vulnerability. Successful exploitation allows the attacker to steal accounts, modify pages and comments, alter permissions, and extract sensitive user data such as emails, thereby compromising the integrity, availability, and confidentiality of the YesWiki instance.
The YesWiki security advisory (GHSA-w59h-3x3q-3p6j) and associated GitHub commit detail the patch in version 4.5.0, which addresses the issue in the `attach.lib.php` file around line 660. Security practitioners should upgrade to YesWiki 4.5.0 or later to mitigate the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing YesWiki web app allows authenticated injection of malicious JavaScript payloads via the attach component that execute in victims' browsers (T1059.007); exploitation of the web application vulnerability aligns with T1190.