YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XYeswiki
APPYeswiki< 4.6.0
Related vulnerabilities
YesWiki — pominięcie uwierzytelnienia przy tworzeniu i pobieraniu kopii zapasowej
YesWiki: słaby algorytm kryptograficzny umożliwia reset hasła dowolnego konta
YesWiki version <= cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user en...
YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the...
YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enab...