YesWiki Stored Blind Cross-Site Scripting Vulnerability

A stored and blind cross-site scripting (XSS) vulnerability has been identified in YesWiki versions prior to 4.6.0. The issue resides in the form title input field, where an unauthenticated attacker can inject JavaScript that is saved in the backend database. When any user accesses the page with the injected title, the JavaScript payload is executed in their browser.

Impact

Exploitation of this vulnerability allows for arbitrary execution of JavaScript in the context of the victim's browser. This could lead to session hijacking, data theft, or reputational damage, particularly since the vulnerability is stored and blind, with a high risk to admins and privileged users.

Reproduction

To reproduce this vulnerability, visit the YesWiki instance and navigate to the BazaR wiki. Access the form title input field and inject a JavaScript payload, such as a script tag including a JavaScript alert. After saving the form, the injected script will execute when the page is viewed, particularly in the diary record section.

Remediation

Users can update to YesWiki version 4.6.0 or later, where this vulnerability has been patched.