"/home/yossef/notes/personal/hacking/CVE/CVE-2025-24017_PHP_4.4.5_vuln_XSS.md"

path: personal/hacking/CVE/CVE-2025-24017_PHP_4.4.5_vuln_XSS.md

- **fileName**: CVE-2025-24017_PHP_4.4.5_vuln_XSS
- **Created on**: 2025-12-13 21:09:25

DESCRIPTION:

PHP. Versions up to and including 4.4.5 are vulnerable to any end-user
crafting a DOM based XSS on all of YesWiki's pages which is triggered when
a user clicks on a malicious link. The vulnerability makes use of the
search by tag feature. When a tag doesn't exist, the tag is reflected on
the page and isn't properly sanitized on the server side which allows a
malicious user to generate a link that will trigger an XSS on the client's
side when clicked. This vulnerability allows any user to generate a
malicious link that will trigger an account takeover when clicked,
therefore allowing a user to steal other accounts, modify pages, comments,
permissions, extract user data (emails), thus impacting the integrity,
availability and confidentiality of a YesWiki instance. Version 4.5.0
contains a patch for the issue.

MORE Vulnerability Details

• CVE Identifier: CVE-2025–24017
• Vulnerability Type: DOM Based XSS
• Severity Level: 7.4/10 (High)
• Affected Versions: All versions up to 4.4.5
• Affected Software: YesWiki

github security artical

continue:[[]]
before:./CVE-2021-26084_code_execute_confluence.md