CVE-2025-24018: 
PHP vulnerability analysis and mitigation

YesWiki, a PHP-based wiki system, contains a stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 4.4.5. The vulnerability was discovered on January 21, 2025, and affects the content edition feature, specifically the {{attach}} component that allows users to attach files/medias to a page (GitHub Advisory).

The vulnerability exists in the showFileNotExits() function within tools/attach/libs/attach.lib.php where the file name attribute is not properly sanitized when returned to the client. This allows execution of malicious JavaScript code in the client's browser. The vulnerability has a CVSS score of 7.6 (High) with attack vector being Network, attack complexity Low, and requiring Low privileges (CISA Bulletin).

This vulnerability allows any authenticated user with rights to create comments or edit pages to steal accounts, modify pages and comments, change permissions, and extract user data like emails. This impacts the integrity, availability, and confidentiality of a YesWiki instance. The vulnerability can be exploited to perform full account takeover through a weak password recovery mechanism abuse (GitHub Advisory).

The recommended fixes include properly sanitizing the filename attribute using htmlspecialchars(), implementing a stronger password reset mechanism, and adding a Content Security Policy to mitigate XSS vulnerabilities. For the password reset mechanism, suggestions include not showing reset links to logged-in users, generating reset links only when requested, adding token expiration, and sending links via email only (GitHub Advisory).