CVE-2025-46348

CRITICAL

10.0

Beschreibung

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4.

CVE Details

CVSS v3.1 Bewertung10.0

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht4/29/2025

Zuletzt geandert5/9/2025

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

yeswiki:yeswiki

Schwachen (CWE)

CWE-287CWE-862CWE-862

Referenzen

https://github.com/YesWiki/yeswiki/commit/0d4efc880a727599fa4f6d7a64cc967afe475530(security-advisories@github.com)

https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wc9g-6j9w-hr95(security-advisories@github.com)

https://github.com/YesWiki/yeswiki/security/advisories/GHSA-wc9g-6j9w-hr95(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.