CVE-2025-46350

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the users session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.5 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
GitHub_MCNA
3.5 LOW
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
VendorProductVersion
yeswikiyeswiki
𝑥
< 4.5.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/YesWiki/yeswiki/commit/e2603176a4607b83659635a0c517550d4a171cb9
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8