CVE-2025-46350

Опубликовано: 29 апр. 2025

Источник: nvd

CVSS3: 3.5

CVSS3: 4.8

EPSS Низкий

Описание

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.

Ссылки

https://github.com/YesWiki/yeswiki/commit/e2603176a4607b83659635a0c517550d4a171cb9
Patch
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8
Exploit
Vendor Advisory
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:yeswiki:yeswiki:*:*:*:*:*:*:*:*

Версия до 4.5.4 (исключая)

EPSS

Процентиль: 18%

0.00059

Низкий

3.5 Low

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-cg4f-cq8h-3ch8

CVSS3: 3.8

github

9 месяцев назад

Yeswiki Vulnerable to Authenticated Reflected Cross-site Scripting

EPSS

Процентиль: 18%

0.00059

Низкий

3.5 Low

CVSS3

4.8 Medium

CVSS3

Дефекты

CWE-79