Plattform
php
Komponente
yeswiki/yeswiki
Behoben in
4.5.5
4.5.4
CVE-2025-46348 is a critical vulnerability affecting YesWiki versions up to 4.5.3. It allows unauthenticated attackers to initiate and download site backups, leading to potential data exposure. This vulnerability arises from insufficient authentication checks during the backup creation and retrieval processes. A fix is available in version 4.5.4.
The primary impact of CVE-2025-46348 is the unauthorized exposure of sensitive data stored within YesWiki backups. Attackers can leverage this vulnerability to download complete site archives without authentication. These archives may contain user credentials, configuration files, database dumps, and other confidential information. The predictable naming convention of the backup files further simplifies exploitation, allowing attackers to target specific backups. This could lead to data breaches, identity theft, and compromise of the entire YesWiki instance.
This vulnerability was publicly disclosed on 2025-04-29. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential for significant data exposure make it a high-priority vulnerability. The lack of authentication required for backup operations significantly lowers the barrier to entry for attackers. No KEV listing is currently available.
Organizations and individuals using YesWiki, particularly those hosting their own instances or utilizing shared hosting environments, are at risk. Legacy YesWiki installations that have not been regularly updated are especially vulnerable. Those relying on YesWiki for sensitive data storage or internal documentation are at higher risk.
• php / server:
find /var/www/yeswiki/ -name 'backup.tar.gz' -print• php / server:
grep -r "action=s" /var/log/apache2/access.log• generic web:
curl -I http://your-yeswiki-domain.com/?api/archives• generic web:
Check access logs for requests to /?api/archives without authentication headers.
disclosure
Exploit-Status
EPSS
0.44% (63% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-46348 is to immediately upgrade YesWiki to version 4.5.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the backup directory or modifying the YesWiki configuration to disable the backup feature entirely. Monitor YesWiki logs for suspicious activity, particularly requests related to archive creation and download. After upgrading, confirm the fix by attempting to create and download a backup without authentication; the request should be denied.
Aktualisieren Sie YesWiki auf Version 4.5.4 oder höher. Diese Version behebt die Schwachstelle, die die Erstellung und den Download von Website-Backups ohne Authentifizierung ermöglicht. Das Update verhindert, dass nicht authentifizierte Angreifer auf sensible Website-Informationen zugreifen oder das Dateisystem mit Backup-Anfragen füllen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-46348 is a critical vulnerability in YesWiki versions up to 4.5.3 that allows unauthenticated users to create and download site backups, potentially exposing sensitive data.
Yes, you are affected if you are using YesWiki version 4.5.3 or earlier. Immediately check your version and upgrade if necessary.
Upgrade YesWiki to version 4.5.4 or later to resolve this vulnerability. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the backup directory.
While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a high-priority vulnerability.
Refer to the YesWiki project's official website and security advisories for the latest information and updates regarding CVE-2025-46348.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.