CVE-2025-46550 Scanner

YesWiki is a versatile and user-friendly content management system that allows users to collaboratively create and manage web pages. It is widely used by communities, educational institutions, and businesses for building wiki-style websites. This platform provides tools for page editing, management, and extension through plugins, allowing diverse functionalities. Its open-source nature encourages contributions and extensions from developers worldwide. YesWiki is favored for its simplicity and flexibility, making it accessible for users with varying technical expertise. Despite its popularity and ease of use, it's essential to ensure security against vulnerabilities inherent to web applications.

Cross-Site Scripting (XSS) is a prevalent security vulnerability in web applications where attackers inject malicious scripts into webpages viewed by others. This particular XSS vulnerability in YesWiki is caused by unsanitized 'idformulaire' parameter input exposed through the '/?BazaR' endpoint. Exploiting this vulnerability could allow malicious actors to execute arbitrary JavaScript code in the browser of users who follow a crafted URL. XSS vulnerabilities like this are critical as they may lead to significant threats such as session hijacking. By exploiting this flaw, attackers can manipulate the appearance or behavior of the website as perceived by other users.

The vulnerability arises from the lack of input validation on the 'idformulaire' parameter used in the context of confirming a delete action in YesWiki's endpoint. When user-supplied data containing script tags is not properly sanitized, it can be executed in the web browser of users visiting the malicious link. This poses a risk where attackers could craft URLs that execute JavaScript to facilitate theft of cookies or other sensitive information from the user's session. Additionally, malicious payloads in scripts could redirect users to phishing pages or attempt other attack techniques possible via JavaScript.

If this vulnerability is exploited, malicious users can steal cookies, hijack user sessions, or deface website components. Such actions compromise user data integrity and privacy, potentially leading to unauthorized access to user accounts and sensitive information. Defacing websites can damage reputations and erode user trust in the platform. The malicious scripts could also embed hostile content that further propagates security risks to unsuspecting visitors. Ensuring security against XSS vulnerabilities is crucial for maintaining the platform's integrity and protecting user data.

REFERENCES

• https://github.com/YesWiki/yeswiki/security/advisories/GHSA-ggqx-43h2-55jp
• https://nvd.nist.gov/vuln/detail/CVE-2025-46550