YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0.
oryginał ENCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XYeswiki
APPYeswiki< 4.6.0
Powiązane podatności
YesWiki — pominięcie uwierzytelnienia przy tworzeniu i pobieraniu kopii zapasowej
YesWiki: słaby algorytm kryptograficzny umożliwia reset hasła dowolnego konta
YesWiki version <= cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user en...
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the...
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enab...