Vulnerabilities > CVE-2025-46348 - Missing Authorization vulnerability in Yeswiki

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

yeswiki

CWE-862

critical

NVD

Published: 2025-04-29

Updated: 2025-05-09

Summary

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4.

Vulnerable Configurations

Part	Description	Count
Application	Yeswiki Yeswiki Yeswiki - Yeswiki Yeswiki 4.1.0 Yeswiki Yeswiki 4.1.1 Yeswiki Yeswiki 4.1.2 Yeswiki Yeswiki 4.1.3 Yeswiki Yeswiki 4.1.4 Yeswiki Yeswiki 4.1.5 Yeswiki Yeswiki 4.2.0 Yeswiki Yeswiki 4.2.1 Yeswiki Yeswiki 4.2.2 Yeswiki Yeswiki 4.2.3 Yeswiki Yeswiki 4.2.4 Yeswiki Yeswiki 4.3.0 Yeswiki Yeswiki 4.3.1	14

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References