YesWiki DOM-Based Cross-Site Scripting Vulnerability Allowing Account Takeover

A DOM-based cross-site scripting (XSS) vulnerability has been identified in YesWiki versions through 4.4.5. This issue allows any end-user to craft a malicious link that triggers XSS on all YesWiki pages, particularly exploiting the search by tag feature. When a non-existent tag is searched, the tag name is reflected on the page without proper server-side sanitization. This flaw enables a user to create a link that, when clicked, executes client-side scripts. The vulnerability can lead to account takeover by stealing session information from users, including administrators, through a weak password recovery mechanism.

Impact

Exploitation of this vulnerability allows for unauthorized account access, including administrative accounts, by bypassing password protections. It also enables the modification of pages, comments, and permissions, and the extraction of user data such as email addresses, thereby compromising the overall integrity and confidentiality of the affected YesWiki instance.

Reproduction

The vulnerability can be reproduced by creating a tag that does not exist and reflecting it on a page. This can be done by using the search by tag feature and entering a non-existent tag, which will be displayed on the page without proper sanitization. Once the tag is reflected, a malicious link can be crafted that exploits the XSS vulnerability when clicked.

Remediation

Users can update to YesWiki version 4.5.0 or later, where this vulnerability has been patched.