CVE-2025-24019
Published: 21 January 2025
Description
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content.
Security Summary
CVE-2025-24019 affects YesWiki, a wiki system written in PHP, in versions up to and including 4.4.5. The vulnerability enables any authenticated user to delete arbitrary files owned by the user running the FastCGI Process Manager (FPM), such as www-data, via the filemanager without any limitation on filesystem scope. Classified as CWE-22 (Path Traversal), it has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Any authenticated user can exploit this issue remotely with low complexity, leading to partial data loss and website defacement or deterioration through arbitrary content removal. In standard installations where www-data also owns the PHP files, an attacker can delete critical files like index.php or YesWiki core files, effectively denying access to the wiki. In unmodified container installations, YesWiki files owned by root (such as .php files) are not deletable by the www-data FPM process.
The YesWiki GitHub security advisory (GHSA-43c9-gw4x-pcx6) and patch commit (3ddd833d22703caf9025659eb174f7765df7147c) state that version 4.5.0 resolves the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authenticated arbitrary file deletion enables file deletion (T1070.004, T1107), data destruction (T1485), service stop by deleting critical files (T1489), and website defacement (T1491).