Listen to this Post
The vulnerabilities are reflected cross-site scripting (XSS) flaws present in both authenticated and unauthenticated areas of YesWiki. The core issue is that user-supplied input in various URL parameters is echoed back to the page without proper sanitization or encoding. When an attacker crafts a malicious link containing JavaScript, the victim’s browser executes the script within the context of the vulnerable application.
For authenticated reflected XSS, the payload is inserted into parameters such as incomingurl, id, or `file` within endpoints like deletepage, saisir_fiche, and GererThemes/upload. These require the victim to have an active session. Unauthenticated reflected XSS is triggered via parameters like `tags` in `listpages` or the `template` parameter in bazariframe. Because the application reflects the input immediately, no prior authentication is needed for those vectors.
The attack surface is broad: in the `bazariframe` example, nearly any parameter can carry the payload. The PoC URLs demonstrate that an attacker can inject `` or encoded variants like `%22%3E%3Cscript%3Ealert(1)%3C/script%3E` which break out of HTML attributes and execute. The lack of output encoding allows arbitrary JavaScript to be run, leading to session hijacking, forced authenticated requests, and chaining with other backend vulnerabilities to potentially achieve remote code execution.
The root cause is insufficient input validation and failure to apply context-appropriate escaping on reflected parameters. Versions prior to 4.6.0 are affected, and the fix involves sanitizing all user-controlled data before inclusion in the response.
Platform: YesWiki
Version: < 4.6.0
Vulnerability: Reflected XSS (multiple)
Severity: Critical
date: 2026-04-01
Prediction: Already fixed (4.6.0)
What Undercode Say:
Test unauthenticated XSS on listpages curl -k "http://target/?PagePrincipale/listpages&tags=%22%3E%3Cscript%3Ealert(1)%3C/script%3E" Test authenticated XSS on deletepage (requires valid session cookie) curl -k -b "YESWIKI_SESSION=xxx" "http://target/?ElizabethJFeinler/deletepage&incomingurl=%22%3E%3Cscript%3Ealert(1)%3C/script%3E" PoC for bazariframe (unauthenticated) curl -k "http://target/?BazaR/bazariframe&id=2&template=%3Cscript%3Ealert(1)%3C/script%3E&width=100%25"
Exploit:
Attacker crafts a malicious URL with JavaScript payload embedded in a vulnerable parameter (e.g., ?tags="><script>alert(document.cookie)</script>). When a victim clicks the link, the script executes in their browser. For authenticated endpoints, the attacker can lure a logged-in user to trigger privileged actions or steal session tokens.
Protection from this CVE
- Upgrade to YesWiki version 4.6.0 or later.
- Apply output encoding (HTML entity, JavaScript, URL) for all reflected parameters.
- Implement Content Security Policy (CSP) to restrict script execution.
Impact
Critical. Allows arbitrary JavaScript execution in victim browsers. Combined with other vulnerabilities, it can lead to session hijacking, account takeover, and in worst-case scenarios, remote code execution on the server.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

