The request to commence a site backup can be performed without authentication. Then these backups can also be downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create an archive and then download the archive without being authenticated.
Reflected XSS has been detected in the file upload form. Vulnerability can be exploited without authentication This Proof of Concept has been performed using the followings: YesWiki v4.5.3 (doryphore-dev branch) Docker environnment (docker/docker-compose.yml)
Vulnerable Version: Yeswiki < v4.5.4 Category: Injection CWE: 79: Improper Neutralization of Input During Web Page Generation (CWE-79) CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Vulnerable Endpoint: /?BazaR Vulnerable Parameter: idformulaire Payload: <script>alert(1)</script>
Vulnerable Version: Yeswiki < v4.5.4 Category: Injection CWE: 79: Improper Neutralization of Input During Web Page Generation (CWE-79) CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Vulnerable Endpoint: /?BazaR/bazariframe Vulnerable Parameter: template Payload: <script>alert(1)</script>
Vulnerable Version: Yeswiki < v4.5.4 Vulnerable Endpoint: /?PagePrincipale%2Fdeletepage Vulnerable Parameter: incomingurl Payload: "><script>alert(1)</script>
A stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment. The XSS occurs because the application fails to properly sanitize or encode user input submitted to the comments. Notably, the application sanitizes or does not allow execution of <script> tags, but …
An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server. All testing was performed on a local docker setup running the latest version of the application.
The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload ../../../../../../etc/passwd was submitted in the squelette parameter. The requested file was returned in the application's response.
It is possible for any end-user to craft a DOM based XSS on all of YesWiki's pages which will be triggered when a user clicks on a malicious link. This Proof of Concept has been performed using the followings: YesWiki v4.4.5 (doryphore-dev branch, latest) Docker environnment (docker/docker-compose.yml) Docker v27.5.0 Default installation
It is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. This Proof of Concept has been performed using the followings: YesWiki v4.4.5 (doryphore-dev branch, latest) Docker environnment (docker/docker-compose.yml) Docker v27.5.0 Default installation
It is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem's scope. This Proof of Concept has been performed using the followings: YesWiki v4.4.5 (doryphore-dev branch, latest) Docker environnment (docker/docker-compose.yml) Docker v27.5.0 Default installation
The use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account.
An SQL Injection vlnerability exists in Yeswiki Doryphore prior to version 4.1.0 via the email parameter in the registration form.