YesWiki Authenticated Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in YesWiki versions through 4.4.5. This issue allows authenticated users with permission to edit or create pages and comments to inject malicious scripts. The vulnerability arises from improper sanitization of file names in the 'attach' component, which is used to upload files or media to pages. When a non-existent file is referenced, the server generates a file upload button that includes the file name, creating an opportunity for script injection. Exploiting this vulnerability could lead to account takeover by stealing password reset links through the injected script, according to the vulnerability advisory.

Impact

Exploitation of this vulnerability allows for authenticated stored cross-site scripting, with the potential for account takeover by stealing password reset links.

Reproduction

To reproduce this vulnerability, an authenticated user can create a comment or edit a page. The user should attach a file using the 'attach' component, specifying a non-existent file in the 'file' attribute. This will trigger the server to generate a file upload button containing the unsanitized file name, which can include malicious JavaScript. Once the comment or page is saved, the injected script will execute whenever the page or comment is viewed.

Remediation

Users can update to YesWiki version 4.5.0, which addresses this vulnerability by properly sanitizing file names before they are displayed. Additionally, it is recommended to implement a stronger password reset mechanism and a robust Content Security Policy to mitigate potential cross-site scripting risks.