Miggo Logo
Miggo Vulnerability Database
CVE-2025-46550

CVE-2025-46550: Yeswiki Vulnerable to Unauthenticated Reflected Cross-site Scripting

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-46550
GHSA ID
GHSA-ggqx-43h2-55jp
EPSS Score
0.16283%
CWE
CWE-79
Published
4/29/2025
Updated
4/30/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
yeswiki/yeswikicomposer<= 4.5.34.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a reflected XSS in YesWiki, where the idformulaire GET parameter is not properly sanitized before being rendered on the page. The provided patch 4e9e51d80cd024ed2ac5c12c820817e6d8c2655a addresses this in two main files:

  1. tools/bazar/templates/forms/forms_confirm.twig: This Twig template file shows that the idformulaire (accessed via request.get.idformulaire) was previously used directly when calling the Twig functions _t and url. The patch modifies these calls to use int(request.get.idformulaire), effectively sanitizing the input by casting it to an integer.
  2. includes/services/TemplateEngine.php: This PHP file shows the addition of a new Twig helper int (which performs the casting) and the existing definition of the Twig helper for _t. The _t helper is an anonymous function (closure) that takes parameters, calls a global PHP function _t(), and then applies html_entity_decode() to the result.

The analysis focuses on identifying PHP functions that process the malicious idformulaire input:

  • The anonymous function (closure) defined in TemplateEngine.php for the _t Twig helper is directly implicated. It receives the raw idformulaire (pre-patch) in its $params and passes it to the global _t() function. This closure is a clear point where the tainted data is handled within PHP code shown in the patch context.
  • The global PHP function _t() is subsequently called by this closure with the tainted data. If _t() itself doesn't perform adequate sanitization for XSS, or if its output is rendered unsafe by the html_entity_decode() in the helper, it's part of the vulnerable path.

The patch indicates that the url() Twig function was also a sink for the XSS. However, the definition of the url Twig helper (and its underlying PHP function) is not visible in the provided patch snippets for .php files. Therefore, while the template shows a vulnerable call to url(), the specific PHP function cannot be precisely identified with the same level of evidence as for _t(). The identified functions are those directly involved in handling the idformulaire for the _t sink, as evidenced by the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry **Vuln*r**l* V*rsion:** Y*swiki < v*.*.* ****t**ory:** Inj**tion ***W*: **:** Improp*r N*utr*liz*tion o* Input *urin* W** P*** **n*r*tion (*W*-**) ***VSS:** *.* (*VSS:*.*/*V:N/**:L/PR:N/UI:N/S:U/*:N/I:L/*:N) **Vuln*r**l* *n*point:** `/?**

Reasoning

T** vuln*r**ility is * r**l**t** XSS in Y*sWiki, w**r* t** `i**ormul*ir*` **T p*r*m*t*r is not prop*rly s*nitiz** ***or* **in* r*n**r** on t** p***. T** provi*** p*t** `****************************************` ***r*ss*s t*is in two m*in *il*s: *. `