{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-46350", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-22T22:41:54.913Z", "datePublished": "2025-04-29T17:11:18.291Z", "dateUpdated": "2025-04-29T18:00:34.649Z"}, "containers": {"cna": {"title": "Yeswiki Vulnerable to Authenticated Reflected Cross-site Scripting", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8"}, {"name": "https://github.com/YesWiki/yeswiki/commit/e2603176a4607b83659635a0c517550d4a171cb9", "tags": ["x_refsource_MISC"], "url": "https://github.com/YesWiki/yeswiki/commit/e2603176a4607b83659635a0c517550d4a171cb9"}], "affected": [{"vendor": "YesWiki", "product": "yeswiki", "versions": [{"version": "< 4.5.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-29T17:11:18.291Z"}, "descriptions": [{"lang": "en", "value": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user\u2019s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4."}], "source": {"advisory": "GHSA-cg4f-cq8h-3ch8", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-29T18:00:32.010451Z", "id": "CVE-2025-46350", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T18:00:34.649Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46350", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-29T18:00:32.010451Z"}}}], "references": [{"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T18:00:28.604Z"}}], "cna": {"title": "Yeswiki Vulnerable to Authenticated Reflected Cross-site Scripting", "source": {"advisory": "GHSA-cg4f-cq8h-3ch8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "YesWiki", "product": "yeswiki", "versions": [{"status": "affected", "version": "< 4.5.4"}]}], "references": [{"url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8", "name": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/YesWiki/yeswiki/commit/e2603176a4607b83659635a0c517550d4a171cb9", "name": "https://github.com/YesWiki/yeswiki/commit/e2603176a4607b83659635a0c517550d4a171cb9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user\u2019s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-29T17:11:18.291Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46350", "state": "PUBLISHED", "dateUpdated": "2025-04-29T18:00:34.649Z", "dateReserved": "2025-04-22T22:41:54.913Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-04-29T17:11:18.291Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yeswiki:yeswiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3230BE7-CB3C-401F-A727-7052E9E07A68", "versionEndExcluding": "4.5.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user\u2019s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4."}, {"lang": "es", "value": "YesWiki es un sistema wiki escrito en PHP. Antes de la versi\u00f3n 4.5.4, un atacante pod\u00eda usar un ataque de cross-site scripting reflejado para robar cookies de un usuario autenticado al hacer que hiciera clic en un enlace malicioso. Las cookies robadas permiten al atacante controlar la sesi\u00f3n del usuario. Esta vulnerabilidad tambi\u00e9n puede permitir a los atacantes desfigurar el sitio web o incrustar contenido malicioso. Este problema se ha corregido en la versi\u00f3n 4.5.4."}], "id": "CVE-2025-46350", "lastModified": "2025-05-09T13:57:36.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-29T18:15:44.950", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/YesWiki/yeswiki/commit/e2603176a4607b83659635a0c517550d4a171cb9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/YesWiki/yeswiki/security/advisories/GHSA-cg4f-cq8h-3ch8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}