CVE-2025-24018
Published: 21 January 2025
Summary
CVE-2025-24018 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Yeswiki Yeswiki. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-24018 is a stored cross-site scripting (XSS) vulnerability in YesWiki, a wiki system written in PHP. It affects versions up to and including 4.4.5 and stems from the content edition feature, specifically the `{{attach}}` component used for attaching files or media to pages. When a file specified in the `file` attribute does not exist, the server generates an upload button that incorporates the filename, enabling the injection of malicious payloads that execute as stored XSS on any page loading the resource.
An authenticated user with rights to edit or create a page or comment can exploit this vulnerability. Successful exploitation allows the attacker to steal accounts, modify pages and comments, alter permissions, and extract sensitive user data such as emails, thereby compromising the integrity, availability, and confidentiality of the YesWiki instance.
The YesWiki security advisory (GHSA-w59h-3x3q-3p6j) and associated GitHub commit detail the patch in version 4.5.0, which addresses the issue in the `attach.lib.php` file around line 660. Security practitioners should upgrade to YesWiki 4.5.0 or later to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0199
Vulnerability details
YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on…
more
any page where the resource is loaded. The vulnerability makes use of the content edition feature and more specifically of the `{{attach}}` component allowing users to attach files/medias to a page. When a file is attached using the `{{attach}}` component, if the resource contained in the `file` attribute doesn't exist, then the server will generate a file upload button containing the filename. This vulnerability allows any malicious authenticated user that has the right to create a comment or edit a page to be able to steal accounts and therefore modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing YesWiki web app allows authenticated injection of malicious JavaScript payloads via the attach component that execute in victims' browsers (T1059.007); exploitation of the web application vulnerability aligns with T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validating user-supplied inputs like the file attribute in the {{attach}} component to block injection of malicious filenames containing XSS payloads.
SI-15 mandates filtering and encoding of outputs such as the generated upload button HTML incorporating the filename to prevent stored XSS execution on pages loading the resource.
SI-2 ensures timely patching of flaws like the unescaped filename handling in attach.lib.php, directly addressed by the YesWiki 4.5.0 update.